0

i am trying to do this for past days , i tried many functions such as

strip_tags , mysqli_real_escape_string , ..etc

// Prevent MySQL Injection Attacks
function cleanQuery($connector,$string){
    if(get_magic_quotes_gpc())  // prevents duplicate backslashes
        $string = stripslashes($string);
    return mysqli_escape_string($connector,$string);
}

but none gave me the result i want .

what i want is to enter an article text , allow html editing but prevent from mysqli injection ... can anyone helpout ?

as an example : i have this :

$data     = $_POST['data'];


echo "<form method='POST' action='index.php?do=check'>
<textarea rows='10' name='data' cols='50'>$data</textarea>
<input type='submit' value='send' name='B1'>
</form>
  ";



mysqli_query($conn,"insert into table(field)values('$data')");

value of data is :

<p align="center"><b><font size="6">test</font></b></p>
<table border='1' width='100%'>
    <tr>
        <td>&nbsp;what's your name ?</td>
        <td>&nbsp;my name is `Jhone`</td>
        <td>&nbsp;</td>
    </tr>
    <tr>
        <td>&nbsp;</td>
        <td>&nbsp;</td>
        <td>&nbsp;</td>
    </tr>
</table>

an html input

so how can i insert that into database with no issues ?

Hussein
  • 97
  • 12
  • 3
    myslqi prepared statements will give you all the necessary protection – user4035 Jan 08 '14 at 19:38
  • 1
    use prepared statements – Junior Jan 08 '14 at 19:38
  • 2
    You want to use prepared statements. http://www.php.net/manual/en/mysqli.quickstart.prepared-statements.php – gen_Eric Jan 08 '14 at 19:38
  • 2
    What makes you think that code won't protect you from SQL Injection? (It's suboptimal (prepared statements are a better approach), weirdly does input fixing at the same time as output preparation, but I don't see anything that would make it fail). – Quentin Jan 08 '14 at 19:38
  • 1
    `DEFINE` (expected) results. – Funk Forty Niner Jan 08 '14 at 19:39
  • sorry but i didnot get how that will help in securing input ? – Hussein Jan 08 '14 at 19:46
  • You shouldn't secure input, but use the correct escaping/encoding function on output, depending on the context. As others said, use prepared statements to prevent SQL injection. See [How can I prevent SQL injection in PHP?](http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php) – Marcel Korpel Jan 08 '14 at 19:49
  • allowing html has nothing to do with SQL protection. Are you sure you don't mean allow html and avoid XSS? – Damien Pirsy Jan 08 '14 at 19:50
  • i want to allow html , but `':; .. those makes issues while inserting in db ..that's all .. – Hussein Jan 08 '14 at 19:57
  • Here is an example on how `mysqli_real_escape_string` is used `$message=mysqli_real_escape_string($connector, $_POST['message']);`, `IF` that is what you're asking, which for the moment, is unclear. @Hussein – Funk Forty Niner Jan 08 '14 at 19:58
  • all i want is securing an input value before adding to database , not changing everything around :) , – Hussein Jan 08 '14 at 20:14
  • But you're already doing that. As Quentin said, it's suboptimal, but it will work if you use that function on variables you want to insert into a database. – Marcel Korpel Jan 08 '14 at 20:15
  • question edited for more explanation of my issue .. please recheck .. – Hussein Jan 08 '14 at 20:21
  • Just read the following, which is where many refer to: http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php as well as https://www.owasp.org/index.php/Top_10_2013-Top_10 that's the best advice I can give you. You just need to read and understand how things work. Good luck. – Funk Forty Niner Jan 08 '14 at 20:23
  • 1
    Apart from @Fred-ii-'s comment, you're not using your function before feeding your variable into your database. But you should really have a look at prepared statements. – Marcel Korpel Jan 08 '14 at 20:24
  • issue solved through prepare : http://www.php.net/manual/en/mysqli.prepare.php , too time to work with as i want but it works the trick .. thank all – Hussein Jan 08 '14 at 21:00

2 Answers2

1

issue solved through prepare as you guys said , took time to work with as i want but it works the trick .. thank all

for selecting and executing : 

$stmt = $connector->prepare('select * from TABLENAME where FIELD1 = ? and FIELD2 = ?');
$stmt->bind_param('ss', $FIELD1_VALUE,$FIELD2_VALUE);

$stmt->execute();

$result = $stmt->get_result();
while ($row = $result->fetch_assoc()) {
    // do something with $row
}

$stmt->close();

IN line 1 : change where you want to insert the value with ? IN lne 2 : for each ? , put s and add value as shown above.

and for Inserting :

$stmt = $connector->prepare('insert into TABLE(FIELD1,FIELD2,FIELD3)values(?,?,?)');
$stmt->bind_param('sss',  $FIELD1_VALUE,$FIELD2_VALUE,$FIELD3_VALUE);

if ($stmt->execute()){
echo "data added ";

}else{

echo "Error adding data ".$stmt->error ;
}

$stmt->close();

same rule applies

Hope that helps! Regards,

Hussein
  • 97
  • 12
-1

MySQLi... try this code:

// Prevent MySQL Injection Attacks
function cleanQuery($connector,$string){
    return $connector->real_escape_string($string);
}

If you're using mysqli this code will work out perfectly for you.

xMoltenX
  • 199
  • 2
  • 11