0

I've coded a little comment function on my website by PHP. I have noticed that there is a huge security risk. Users can write some HTML/PHP/MySQL and insert it into the table. Is there a easy way to prevent this?

This is my PHP insert script:

<?php
    if ( $_SERVER["REQUEST_METHOD"] == 'POST' ) {
    $kommentar_neu = $_POST["kommentar"];

    if (!empty($kommentar_neu)) { 
        $order = "INSERT INTO $db_kommentare
        (kommentar, teilnehmer, kommentardatum, projektnummer)
        VALUES
        ('$kommentar_neu', '$teilnehmer_name', '$zeiteingabe', 
         '$projektnummer_hw_order')";
    }
    }
?>
susanloek
  • 411
  • 1
  • 5
  • 19

2 Answers2

1

The problem you are describing is called "SQL Injection". There are many methods for dealing with it, and so the answer would be too long for this format, but Googling "SQL Injection" should get you started.

In any case, NEVER EVER EVER (well, with one notable exception...) create SQL statements by stringbashing. Create a prepared statement with parameters and pass them in.

A good starting point might be:

http://php.net/manual/en/security.database.sql-injection.php

This covers the injection of SQL into SQL, but some of the principles involved are applicable.

Tripp Kinetics
  • 5,178
  • 2
  • 23
  • 37
-3

There are various method you can use to prevent such thing. $your_variable;

$filter_variable = htmlspecialchars($your_variable);
$filter_variable = mysqli_real_escape_string($conn,$your_variable);

use prepare statement for create your sql query.

hope it will help you.

Happy coding.

innovative kundan
  • 631
  • 6
  • 13
  • stop telling people to use deprecated functions. mysql_* functions are deprecated. We are in 2015 ffs. http://php.net/manual/de/function.mysql-real-escape-string.php – Daniele D Oct 13 '15 at 14:38