-5

Hello thanks to everyone for helping me with my current issue if so could you check if this code has any vulnerabilities as-well? 

  $sql="INSERT INTO  `paypal_mysqltable_name` (datenow,    item_name,   item_number,       payment_status,    payment_amount,   payment_currency,  payer_email,     payment_type,   custom, 
invoice, first_name, last_name, address_name, address_country, address_country_code, address_zip, address_state, address_city, address_street) 
            VALUES (CURRENT_TIMESTAMP,'item_name','$item_number','$payment_status', '$payment_amount','$payment_currency','$payer_email', '$payment_type','$custom' ,'$invoice','$first_name','$last_name','$address_name','$address_country','$address_country_code','$address_zip','$address_state','$address_city','$address_street')";
  $result=mysql_query($sql,$link);

Hey everyone sorry im not very accustomed to SQL and php I have turned my $link into MYSQLi like recommended but I have a problem writing the statement that I presented into this format.

    $stmt = $mysqli->prepare("

can anyone help

OverFlowToMuch
  • 1
  • 4
  • 2
    pelase and please use `PreparedStatement` – Baby Dec 31 '13 at 04:03
  • How would I go about doing that? – OverFlowToMuch Dec 31 '13 at 04:03
  • To prevent SQL Injection, see http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php Then, when *using* the data (e.g. outputting in HTML), make sure to use the correct escaping - but that's a *different* issue, so not quite sure why "html" is a tag. – user2864740 Dec 31 '13 at 04:04
  • @user3148173 All your questions are answered in the linked question. – Barmar Dec 31 '13 at 04:04
  • As @user2864740 mentions, this question already have answer [**here**](http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php) – Baby Dec 31 '13 at 04:07
  • I know folks will talk about prepared statements, but on an operational level are you validating any or all of these variables? You should. `$item_number`,`$payment_status`, `$payment_amount`,`$payment_currency`,`$payer_email`, `$payment_type`,`$custom` ,`$invoice`,`$first_name`,`$last_name`,`$address_name`,`$address_country`,`$address_country_code`,`$address_zip`,`$address_state`,`$address_city`,`$address_street`. – Giacomo1968 Dec 31 '13 at 04:08
  • @jakeGould Yes all of these variables will be validated – OverFlowToMuch Dec 31 '13 at 04:12

2 Answers2

0

First of all mysql_* functions are deprecated. So switch to MySQLi or PDO.

Coming to your question..

Seems like you are worried about SQL Injection issues , If you use PreparedStatements you can very well avoid them (SQLi) as escaping is done automatically.

Shankar Narayana Damodaran
  • 68,075
  • 43
  • 96
  • 126
0

Use this mysql-real-escape-string for string and this intval for integer

And for safer use this PDO

BenMorel
  • 34,448
  • 50
  • 182
  • 322
Érycson Nóbrega
  • 551
  • 5
  • 15