0

I have been told that the way I am grabbing the post, and then passing it to the query so that it can be stored is very unsafe, and unsecure, and I would like to know ways I could strenghen it. I am quite novince at this, so please bear with me.

    $course_price_final = $_POST['priceFinal'];
    $course_provider = $_POST['courseProvider'];
    $user_email = $_POST['userEmail'];
    $crs_title = $_POST['courseTitle'];
    $course_date1 = $_POST['courseDate'];
    $course_token = $_POST['courseToken'];
    $card_name =  $_POST['cardName'];

    $course_delivery = $_POST['courseDelivery'];
    $order_date = date("Y-m-d");
    $insert_c = "insert into orders (course_title,course_price_final,course_provider,user_email,course_date,course_delivery,order_date,course_token) 
             values ('$crs_title','$course_price_final','$course_provider','$user_email','$course_date1','$course_delivery','$order_date','$course_token')";
    $run_c = mysqli_query($con, $insert_c);
n-dru
  • 9,285
  • 2
  • 29
  • 42
code_legend
  • 3,547
  • 15
  • 51
  • 95
  • 1
    if you're talking about SQL injection vulnerability, then yes, the code you're using right now is vulnerable to such attack, you need to use prepared statements which MySQLi already supports – Kevin Apr 18 '15 at 08:34
  • 1
    Use PDO with prepare statments – Manish Shukla Apr 18 '15 at 08:35

1 Answers1

1

The simplest thing - use mysqli::real_escape_string($_POST['whatever']) on each post.

The best thing - use prepared statements.

http://php.net/manual/en/mysqli.quickstart.prepared-statements.php

mariobgr
  • 2,143
  • 2
  • 16
  • 31
  • thank you how would I work around prepared statements since its the best thing to do? – code_legend Apr 18 '15 at 08:35
  • how does mysqli:real_escape makes it more secure? – code_legend Apr 18 '15 at 08:35
  • I updated my answer with useful link. real_escape_string escapes special characters in a string for use in a SQL statement – mariobgr Apr 18 '15 at 08:37
  • 1
    @mariobgr answers should be standalone, maybe add a short snippet of `mysqli` example code? – transistor09 Apr 18 '15 at 08:41
  • could i use both mysqli and prepared statements. i am still trying to wrap my head around how they make it more robust, and how someone could try and harm – code_legend Apr 18 '15 at 08:46
  • 1
    of course you can use them together. I will update my answer with examples as soon as I get to a computer. – mariobgr Apr 18 '15 at 08:50
  • @user3907211: all you need to know, and examples, are on the duplicate question. There isn't much need for someone to type them out again `:-)` – halfer Apr 18 '15 at 10:50