How can I make this insertion secure from MySQL injection?

Question

I'm new to PHP and database programming and have been attempting to add data from a form to MySQL database. It works fine but is this open to my MySQL injection? I've read plenty of tutorials and I'm thinking PDO prepared statements. How can I do this for my comments field for example? This field (it's a text field) will be fairly open to whatever the user wants to put. How can I write this in order to make it more secure?

<?php
ob_start();
$username = 'name'; 
$password = 'pass'; 
$host = 'localhost'; 
$dbname = 'map';



try {
$dbh = new PDO("mysql:host=$host;dbname=$dbname", $username, $password);
// set the PDO error mode to exception
$dbh->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
$sql = "INSERT INTO Incidents (


        protocol,
        jurisdiction,
        date,
        time,
        comments,
        video,
        lat,
        lng



            )

        VALUES (


        '".$_POST["protocol"]."',
        '".$_POST["jurisdiction"]."',
        '".$_POST["date"]."',
        '".$_POST["time"]."',
        '".$_POST["comments"]."',
        '".$_POST["video"]."',
        '".$_POST["lat"]."',
        '".$_POST["lng"]."'


        )

        ";

// use exec() because no results are returned
$dbh->exec($sql);
header("Location: map1.php"); 

}
catch(PDOException $e)
{
echo $sql . "<br>" . $e->getMessage();
}

$dbh = null;




ob_end_flush();
?>

Answer 1

You already use PDO and that is very good.

But, you should also use prepared statements witch should be SQL injection proof. Check this link for more info : http://php.net/manual/en/pdo.prepared-statements.php

An insert example from the doc :

$stmt = $dbh->prepare("INSERT INTO REGISTRY (name, value) VALUES (:name, :value)");
$stmt->bindParam(':name', $name);
$stmt->bindParam(':value', $value);

// insert one row
$name = 'one';
$value = 1;
$stmt->execute();

Answer 2

PDO is already much secure. Now you can use bindParam() to increase security like:

<?php
 ob_start();
 $username = 'name'; 
 $password = 'pass'; 
 $host = 'localhost'; 
 $dbname = 'map';

try {
 $dbh = new PDO("mysql:host=$host;dbname=$dbname", $username, $password);
 // set the PDO error mode to exception
 $dbh->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);

 $sql = "INSERT INTO Incidents SET protocol = ?, jurisdiction = ?, date = ?, time = ?, comments = ?, video = ?, lat = ?, lng = ? ";
 $smt->$dbh->prepare($sql);
 $smt->bindParam(1, $_POST["protocol"]);
 $smt->bindParam(2, $_POST["jurisdiction"]);
 $smt->bindParam(3, $_POST["date"]);
 $smt->bindParam(4, $_POST["time"]);
 $smt->bindParam(5, $_POST["comments"]);
 $smt->bindParam(6, $_POST["video"]);
 $smt->bindParam(7, $_POST["lat"]);
 $smt->bindParam(8, $_POST["lng"]);

 // use exec() because no results are returned
 $smt->execute();
 if($smt->rowCount()) { // if insertion success
   header("Location: map1.php"); 
 }

}
catch(PDOException $e) {
   echo $sql . "<br>" . $e->getMessage();
}

 $dbh = null;

 ob_end_flush();
?>

Answer 3

You should use prepare statement.

Well, do this:

new PDO("mysql:host=$host;dbname=$dbname", $username, $password);

$sql = 'SELECT name, colour, calories
    FROM fruit
    WHERE calories < :calories AND colour = :colour';

$sth = $dbh->prepare($sql, array(PDO::ATTR_CURSOR => PDO::CURSOR_FWDONLY));

$sth->execute(array(':calories' => $variable, ':colour' => $color ));

$red = $sth->fetchAll();

$sth->execute(array(':calories' => 175, ':colour' => 'yellow'));

$yellow = $sth->fetchAll();

Example is originally taken from php.net

You can read more about it, here: http://php.net/manual/en/pdo.prepare.php

Answer 4

1) Use PDO
2) Escape all the special characters
3) Use parameterized queries

refer this How can I prevent SQL injection in PHP?