1

I'm pretty new to PHP and am trying to learn more in the area of making my forms secure so that my DB are more difficult to mess up via SQL injection and such. The current web programmer/php guy at our company quit with short notice so my boss has placed me in the php programmers position temporarily with only a single week of training under the previous programmer (I do lots of html and css work, but no php prior), until they can find a real replacement.

Anyways, I read that using mysql_query() is a depreciated function and it should be avoided because that method is vulnerable. I see that my two options are to now use PDO or MySQLi. Being new to PHP, I'm having trouble figuring out what exactly I need to do to convert the code I am currently using (which sends info from a request a quote form on the site and stores it in the database incase of email troubles) into a more secure method of sending data to the database via PDO or MySQLi.

The current line of code I'm using is:

    $query = mysql_query("insert into request_for_quote(rfq_company_name, rfq_name, rfq_email, rfq_phone, rfq_end_user) values ('$rfqCompanyName', '$rfqName', '$rfqEmail', '$rfqPhone', '$rfqEndUser')");

Which is mostly powered by $_POST variables.

                $rfqName = mysql_real_escape_string($_POST['rfq_name']);
                $rfqEmail = filter_var($_POST['rfq_email'], FILTER_VALIDATE_EMAIL);
                $rfqPhone = mysql_real_escape_string($_POST['rfq_phone']);
                $rfqCompanyName = mysql_real_escape_string($_POST['rfq_company_name']);
                $rfqEndUser = mysql_real_escape_string($_POST['rfq_end_user']);

Now, my code does what I need it to, it just seems like it is extremely vulnerable to database attacks, and I want to learn how to fix that, but it seems all examples I'm finding online aren't using the setup of "insert X,Y, and Z variables into the table Columns as values A, B, C".

Are there any simple changes I do to make my database submission query more secure?

Andy Lester
  • 91,102
  • 13
  • 100
  • 152
Josh979
  • 361
  • 4
  • 17
  • + for your efforts, but there are many subquestions here and ultimately quite broad. As such, it is likely this question will be closed. – Jason McCreary Apr 14 '15 at 19:13
  • What you're doing now is *ok* for the short term. Migrating to MySQLi or PDO can be a bit of a chunk unless you set it up simply. [This article](http://php.net/manual/en/mysqlinfo.api.choosing.php) will help you decide which API may be best for you. – Jay Blanchard Apr 14 '15 at 19:14
  • `mysql_query` isn't the problem, exactly. The problem is building SQL statements with untrusted variables. This question should get you started: https://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php – Andy Lester Apr 14 '15 at 19:37

1 Answers1

0

I had written an answer to some form of similar question a few (6) months ago but I can't find it of now.

  • Search and replace.

find mysql_ and replace with mysqli_, replace ("SELECT... and insert after the bracket to do ($dbLinkIdentifier, "SELECT... where the $var is the connection to the DB. This is procedural MySQLi,

The initial link $dbLinkIdentifier is a mysqli_connect() construction because you can identify several database connections each with their own $var.

This is a procedural MySQLi format/layout. If you want to move to OO MySQLi that's a little more complex structurally, but better overall.

Martin
  • 22,212
  • 11
  • 70
  • 132