Would this PHP inserting be secure?

Question

I've been working on a little script to insert data into a database but I'm not very sure if it's secure this way. Some feedback would be pretty cool! So my question, is this a secure way of inserting data?

CODE:

function dbRowInsert($table, $data) {
   require_once('../config.inc.php');

     $buildData = null;
     $countLoop = 1;

     foreach($data as $field) {
          $sep = ($countLoop!=count($data) ? ',' : '') ;
      if((int)$field == $field) {
        $buildData .= (int)$field . $sep;
      } else {
        $buildData .= '"' .mysqli_real_escape_string((string)$field) . '"' . $sep;
      }
      $countLoop++;
     }

   $fields = array_keys($data);

   mysqli_query($conn, "INSERT INTO" . $table . "(`" . implode('`, `', $fields) . "`)
                        VALUES('" . $buildData . "')");
}

If your table / column names are not white-listed this is insecure. — Jay Blanchard, Jun 25 '15 at 13:59
@JayBlanchard Can I ask you, why this is insecure? If that's not off-topic. — peer, Jun 25 '15 at 14:00
Because any table or column name could be used for the query. — Jay Blanchard, Jun 25 '15 at 14:02
btw, `mysqli_real_escape_string` requires db connection be passed. http://php.net/manual/en/mysqli.real-escape-string.php — Funk Forty Niner, Jun 25 '15 at 14:03

score 2 · Accepted Answer · answered Jun 25 '15 at 14:03

2

The best way is to use object-oriented style. That's the first. The second is to use methods

prepare(), bind(), execute()

instead of

mysqli_real_escape_string()

etc.

Read about it in manual, it's simple and you will find it very useful and safety.

http://php.net/manual/en/mysqli.prepare.php

answered Jun 25 '15 at 14:03

pavon147

703
1
8
15

1

I'll have a look at this, thanks! – peer Jun 25 '15 at 14:05

Would this PHP inserting be secure?

1 Answers1