-1

I am having issues whenever I put a ' in text on a page that updates the database,

$query = "UPDATE news SET news1_title='$news1_title', news1_info='$news1_info', news1_body='$news1_body', news2_title='$news1_title', news2_info='$news2_info', news2_body='$news2_body' WHERE id=1";

As it cuts off and ends up throwing the text into the code.

Is there a way that I can add things like this safely, I know I can use ' but then when it shows it back in the page it returns as ' and I have to update them every time to ' otherwise it errors.

Thanks.

Doomie
  • 83
  • 6
  • Well, you'd need to escape your inputs, but that's so 2005. What you need to do is using PDO with Prepared Statements. http://jayblanchard.net/demystifying_php_pdo.html – Charlotte Dunois Jan 24 '16 at 21:22

2 Answers2

2

You need to not directly accept user input to your query. This is a huge SQL vulnerability. I could just do where 1=1; drop database; and delete all of your information.

Instead, consider using prepared statements to have your data sanitized in a safe and automatic way. Let's look at an OOP implementation:

$ret = array();
try{
    $mysqli = new mysqli('host', 'user', 'pass', 'db');
    $stmt = $mysqli->prepare('update news set news1_title = ?, news1_info = ?, news1_body = ?, news2_title = ?, news2_info = ?, news2_body = ? where ID = 1');
    $stmt->bind_param('ssssss', $news1_title, $news1_info, $news1_body, $news1_title, $news1_info, $news1_body);
    $stmt->execute() == true;

    $ret['status'] = 1;
    $ret['msg'] = 'Successfully updated!';
} catch (Exception $e ) {
    $ret['status'] = 0;
    $ret['msg'] = $e->message;
}

echo $ret['msg'];

By simply preparing and binding, we've sanitized our data and will no longer face the issues you've described above.

Ohgodwhy
  • 49,779
  • 11
  • 80
  • 110
  • Thank you for this, sorry I am still wet behind the ears of learning php/mysql and I haven't got to the security section of my learning. These will be only used by myself and someone I work with, what should I be putting into the success a bad section? – Doomie Jan 24 '16 at 21:29
  • I'm not sure what you mean by `what should I be putting into the success a bad section`. Can you clarify? And it shouldn't matter who's going to be using it, you should always implement best practices! If this was your car, would you not install doors? Surely not! – Ohgodwhy Jan 24 '16 at 21:33
  • Figure out about the if else section. I would implement best practices but when I am being taught and they haven't got to that part yet, I am doing it to the best of my ability. – Doomie Jan 24 '16 at 21:41
  • I've added a try/catch so you can see how to capture the error if there is one, and then an echo of the message. You can also switch on the status of 1/0 to see if it failed(0) or was successful(1) – Ohgodwhy Jan 24 '16 at 21:45
0

Try to escape it before you execute query
Like this:

mysqli_real_escape_string($mysql, $news1_title);
mysqli_real_escape_string($mysql, $news1_info);
$query = "UPDATE news SET news1_title='$news1_title', news1_info='$news1_info' WHERE id=1";

And for each of other vars you use in sql query.

$mysqli is mysqli connection that is the var where you use db host, db username, db password.

xYuri
  • 369
  • 2
  • 17
  • 1
    `mysql_real_escape_string` I think you meant `mysqli_real_escape_string` with the added "i". `mysql_` functions do not intermix with `mysqli_` and if they were to use `mysql_real_escape_string` as an `mysql_` function, the connection would come last, and not first. – Funk Forty Niner Jan 24 '16 at 22:03
  • Yes mysqli instead of mysql, i work with mysqli though, was just misspelling – xYuri Jan 25 '16 at 00:41