-1

Hey there i have searched but can not find the answer i am looking for. My form will not post to my database i started getting sql injected so i changed my code around to use $mysqli->real_escape_string but it does not seem to want to still post all i am getting is the error in the code any help would be greatly appreciated.

<form action="" method="post">
<br/>
<input type="text" name="Key" class="dap_text_box" placeholder="Enter Key"/><br/>
<br/>
<input type="text" name="Name" class="dap_text_box" placeholder="Name"/><br/>
<br/>
<input type="text" name="Email" class="dap_text_box" placeholder="Email"/><br/>
<br/>
<input type="text" name="IP_s_" class="dap_text_box" placeholder="Enter IP"/><br/>
<br/>
<input type="submit" name="submit" value="Key Activation" class="sendbutton"/> </form> <hr/> </body> </html>

<?php

if (isset($_POST['submit'])) { 
     $mysqli = new mysqli("localhost", "root", "rkPJNwe0cI", "key");
     // Check 
     if ($mysqli->connect_error) {
         die("Connection failed: " . $mysqli->connect_error);
     }

     // Set charset for correct escaping
     $mysqli->set_charset('utf8');

     echo $_SERVER["REMOTE_ADDR"]; // mmm?

     $key   = $mysqli->real_escape_string($_POST['Key']);
     $IP    = $mysqli->real_escape_string($_POST['IP']);
     $name  = $mysqli->real_escape_string($_POST['Name']);
     $email = $mysqli->real_escape_string($_POST['Email']);
     $IP_s  = $mysqli->real_escape_string($_POST["IP_s_"]);

     // (ID, Key, Activated, IP, Banned)
     $sql = "INSERT INTO keys (ID, Key, Activated, IP, Banned, Name, Email)  VALUES ('$ID1', '$key', 1, '$IP', 0, '$name', '$email')";
    $sql1 = "SELECT ID, Key, Activated, IP, Name, Email FROM Keys";

    $sql = "UPDATE Keys set IP='$IP_s_', Name='$name', Email='$email', Activated='1' WHERE Key='$key'";
    if ($mysqli->multi_query($sql) === TRUE) {
         echo "Activated";
    } else {
        echo "Error";
     }

     $mysqli->close(); }
Machavity
  • 30,841
  • 27
  • 92
  • 100
BERWIN
  • 29
  • 4
  • Where is `$ID1` set? Why not use prepared statements? So much easier and efficient than trying to escape each individual string. – Devon Bessemer Aug 20 '15 at 23:43
  • 1
    You have `$sql` doing an `INSERT` but never execute that statement. Then you fill `$sql` with an `UPDATE` and execute that – Machavity Aug 20 '15 at 23:44

1 Answers1

0

You have quite a few things wrong from what I can see. Too long for a comment.

You use multi_query() but only have one query defined in $sql. Your insert statement and select statement don't appear to be doing anything, you overwrite the insert statement before you call multi_query().

$ID1 doesn't appear to be defined anywhere for your insert statement.

Why not use prepared statements? So much easier and efficient than trying to escape each individual string.

Devon Bessemer
  • 34,461
  • 9
  • 69
  • 95