0

Form

<FORM method="post" action="for.php">
        <input type="text" name="first" placeholder="first"><br>
        <input type="text" name="last" placeholder="last">
        <input type="submit">
    </FORM>

Form Processing

How do I use SQL injection prevention methods when processing the form. I checked this link and I am confused after reading it: How can I prevent SQL injection in PHP?

<?php

$db_username = "sanoj";
$db_password = "123456";
try {
 #connection 
$conn = new PDO('mysql:host=localhost;dbname=localtest', $db_username, $db_password);
$conn->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
$data = $conn->prepare('INSERT INTO test (first, last) VALUES (:first, :last)');

$first = mysql_real_escape_string($_POST['first']);
$last = mysql_real_escape_string($_POST['last']);
$data->execute(array(':first' => $first, ':last' => $last));
#exception handiling
} catch (PDOException $e) {
echo $e->getMessage();
}
?>

Error

When I run the above code am getting this ERROR

Deprecated: mysql_real_escape_string(): The mysql extension is deprecated and will be removed in the future: use mysqli or PDO instead in C:\Users\logon\Documents\NetBeansProjects\teste local\for.php on line 11

Dharman
  • 30,962
  • 25
  • 85
  • 135

2 Answers2

0

Since you are using PDO prepared statements to execute your SQL queries there is no need to manually escape the inputs for SQL Injection.

You could just pass the parameters as they are submitted:

$first = $_POST['first'];
$last = $_POST['last'];
$data->execute(array(':first' => $first, ':last' => $last));

and the extension will take care of the rest.

Note: That is only a warning and you will get it whenever you try to use mysql_* extension functions with new versions of PHP.

Note 2: This only protects you from SQL Injection attacks so keep in mind there are numerous other ways a malicious user could exploit your code using XSS and an endless number of other attacks.

** UPDATE **

The warning is nothing to be worried if you are handling that variable with caution. To get rid of it you could use:

$first = filter_input(INPUT_SERVER, 'first', FILTER_SANITIZE_STRING)
$last = filter_input(INPUT_SERVER, 'last', FILTER_SANITIZE_STRING)

Warning "Do not Access Superglobal $_POST Array Directly" on Netbeans 7.4 for PHP

Community
  • 1
  • 1
Kypros
  • 2,997
  • 5
  • 21
  • 27
  • what is the best way to protect from this OR what method i can use –  Oct 18 '14 at 12:09
  • As i said in my answer, since you are using prepared statements you are already protected from MySQL Injection in the same way mysqli real escape string would protect you against this type of attacks. – Kypros Oct 18 '14 at 12:19
  • You don't have to, that's the point. Just use the code as in my answer since you are using `PDO`. – Kypros Oct 18 '14 at 12:25
  • 1
    getting warning do not access super global $_POST directly –  Oct 18 '14 at 12:27
0

You don't have to use mysqli_real_escape_string here as PDO will take care of it. You can just simply pass your values in execute().

Try this:

<?php

$db_username = "sanoj";
$db_password = "123456";

#connection
$conn = new PDO('mysql:host=localhost;dbname=localtest', $db_username, $db_password);
$conn->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);

$data = $conn->prepare('INSERT INTO test (first, last) VALUES (:first, :last)');

$data->execute(array(':first' => $_POST['first'], ':last' => $_POST['last']));

The error you are getting is to inform you that mysql_real_escape_string is deprecated. You can read about it here: https://www.php.net/manual/en/function.mysql-real-escape-string

Dharman
  • 30,962
  • 25
  • 85
  • 135
arif_suhail_123
  • 2,509
  • 2
  • 12
  • 16
  • http://stackoverflow.com/questions/14012642/what-is-the-pdo-equivalent-of-mysql-real-escape-string That is a bad practice and just a temp fix to get rid of the notice... – Kypros Oct 18 '14 at 12:04
  • data is not inserted in table bad idea –  Oct 18 '14 at 12:04
  • its of no use nothing happen still negative result –  Oct 18 '14 at 12:12