How can I safeguard my Php Form?

Question

Below I have a Php Registration form that is working well, but am a bit concerned as the form is wide open for an Sql injection attack, I am aware about it but have very limited coding knowledge to prevent it, but still learning.

Have managed to add a Captcha to prevent bots from auto-filling the form and submitting, but unfortunately the same can't be said of being able to validate the First name and Last name,am just wondering how can I safeguard myself against such an attack.

The Relevant code is shown below, Thank You!

1) Check.php

<?php
    session_start();
    $captcha = $_POST['captcha'];
    $captcha_answer = $_SESSION['captcha_answer'];

    if($captcha != $captcha_answer) {
        echo 'Captcha is incorrect!';
    }
    else {
        echo 'Captcha is correct, congratulations! :)';
    }
?>




<?php



    if(isset($_POST['registration']) && $captcha == $captcha_answer)
    {
        require "connection.php";



        $FirstName = strip_tags($_POST['FirstName']);

        $LastName = strip_tags($_POST['LastName']);

        $Msisdn = $_POST['Msisdn'];

        $month = $_POST['month'];

        $day = $_POST['day'];

        $year = $_POST['year'];

        $date = $year . "-" . $month . "-" . $day;

        $dob = date('y-m-d', strtotime($date));

        $Gender = $_POST['Gender'];

        $Faith = $_POST['Faith'];

        $City = $_POST['City'];

        $MarritalStatus = $_POST['MarritalStatus'];

        $Profession =$_POST['Profession'];

        $Country = $_POST['Country'];





    $query="insert into users set FirstName='".$FirstName."',LastName='".$LastName
            ."',Msisdn='".$Msisdn."',dob='".$dob."',Gender='".$Gender."',Faith='".$Faith."',City='".$City."',MarritalStatus='".$MarritalStatus."',Profession='".$Profession."',Country='".$Country."'";


    mysql_query($query)or  die("".mysql_error());   



        echo "Successful Registration!";



            }
?>

2) Registration.php

</head>

<body>

    </tr>

<div id="div-regForm">

<div class="form-title">Sign Up</div>
<div class="form-sub-title">It's free and anyone can join</div>

    <form method="post" action="check.php" enctype="multipart/form-data">

    <table width="900" align="center" cellpadding = "15">



        <tr>
            <td>FirstName:</td>
            <td><input type="text" name="FirstName" maxlength="10" required="" ></td>

        </tr>
        <tr>
            <td>LastName:</td>
            <td><input type="text" name="LastName" maxlength="10" required=""></td>

This question appears to be off-topic because it is a code review request. This is better suited to codereview.stackexchange.com — John Conde, Sep 11 '13 at 14:16
[How can I prevent SQL injection in PHP?](http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php?rq=1) — DCoder, Sep 11 '13 at 14:17
look up prepared statements with mysqli or PDO, there is ALOT of information about that on the internet — x4rf41, Sep 11 '13 at 14:17
First thing to stop SQL injection attacks: stop using the deprecated mysql_* queries and move to PDO/mysqli — aynber, Sep 11 '13 at 14:17
Ok, will do that... let me research it and see what will come up, Thanks! — Knight Slayer, Sep 11 '13 at 14:20
For one thing, this is not required `enctype="multipart/form-data"` unless you intend for file attachments and/or uploading options. — Funk Forty Niner, Sep 11 '13 at 14:21

score 0 · Answer 1 · edited May 23 '17 at 12:11

0

If you want to protect yourself against SQL injection, DO NOT use mysql_* functions. They are deprecated and don't support prepared statements.

Use PDO instead, and do read this.

edited May 23 '17 at 12:11

Community

1
1

answered Sep 11 '13 at 14:17

ciruvan

5,143
1
26
32

Thanks for the feedback... Reading it already, ThanX! – Knight Slayer Sep 11 '13 at 14:18

Computernerd · Answer 2 · 2013-09-11T14:46:59.427

0

1) You should use mysqli object:prepared statements to prevent SQL injections. You should always do checks on BOTH client side and server side

Simple example , added stmt->bind_result and stmt->fetch for completeness

$mysqli = new mysqli("localhost","root","","dbname");
$stmt = $mysqli->prepare("SELECT * FROM account WHERE username=? and shapass=? LIMIT 1")
$stmt->bind_param("ss",$username,$encrypted_password);
$stmt->execute();
$stmt->bind_result($result1,result2) // assuming table has 2 columns

while( $stmt->fetch() )
{
      //do something
      echo $result1;
      echo $result2;
}

edited Sep 11 '13 at 14:46

answered Sep 11 '13 at 14:20

Computernerd

7,378
18
66
95

Shouldn't that be `"s"`? – Funk Forty Niner Sep 11 '13 at 14:21
In `$stmt->bind_param("ss",$username,$encrypted_password);` – Funk Forty Niner Sep 11 '13 at 14:22
nope its "ss" as there are two parameters to bind – Computernerd Sep 11 '13 at 14:23
Oh ok thanks. I didn't know that. I learned something new today, cheers ;-) – Funk Forty Niner Sep 11 '13 at 14:23
@Computernerd, Thank you for the input, will certainly use mysqli, Thanks! – Knight Slayer Sep 11 '13 at 14:30

How can I safeguard my Php Form?

2 Answers2