Can't use $_post value as table name for mysql in php

Question

I'm working on a blog right now that aims to display messages to only people it belongs to, so I have a select in html where people can select a person and then it sends it to that table in MySQL.

What I now have in the index.html:

<form action="post.php" method="post">
                <label>Naam:</label>
                <input type="text" name="name" placeholder="Naam" class="form-control">
                <label>Voor wie is dit bericht bestemd?</label>
                <select name="portal" class="form-control">
                    <option id="0">Selecteer</option>
                    <option id="1">Leerlingen</option>
                    <option id="2">Docenten</option>
                    <option id="3">Ouders</option>
                    <option id="4">Bedrijven</option>
                </select>
        </div>
        <div class="paper col-sm-6">
                <label>Email:</label>
                <input type="email" placeholder="Email" class="form-control">
                <label>Onderwerp:</label>
                <input type="textarea" class="form-control" placeholder="Onderwerp" name="subject"/>
        </div>
        <div class="paper col-sm-12">
                <label>Korte informatie:</label>
                <input class="form-control" type="textarea" name="short"/>
                <label>Volledige informatie</label>
                <textarea class="form-control" rows="4" cols="50" name="long"></textarea>
        </div>
        <div class="paper col-sm-12 text-center">
                <div class="col-xs-12" style="height:25px;"></div>
                <button class="btn btn-default">Verstuur!</button>
            </form>

and this in my post.php:

<?php
    $servername = "localhost";
    $username = "a1070rik";
    $password = "";
    $dbname = "portals";
    $title = '$_POST[subject]';
    $by = '$_POST[name]';
    $short = '$_POST[short]';
    $long = '$_POST[long]';
    $portal = '$_POST[portal]';

// Create connection
$conn = new mysqli($servername, $username, $password, $dbname);
// Check connection
if ($conn->connect_error) {
    die("Connection failed: " . $conn->connect_error);
} 

$sql = "INSERT INTO $portal (id, title, by, short, long)
VALUES ('', $title, $by, $short, $long)";

if ($conn->query($sql) === TRUE) {
    echo "New record created successfully";
} else {
    echo "Error: " . $sql . "<br>" . $conn->error;
}

$conn->close();
?>

When I try to run it it gives me this vague error:

Error: INSERT INTO $_POST[portal] (id, title, by, short, long) VALUES ('', $_POST[subject], $_POST[name], $_POST[short], $_POST[long])
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '[portal] (id, title, by, short, long) VALUES ('', $_POST[subject], $_POST[name],' at line 1

Thanks

EDIT:

Thanks everyone that helped,

this code eventually worked for me:

<?php
    $servername = "localhost";
    $username = "a1070rik";
    $password = "";
    $dbname = "portals";
    $title = $_POST['subject'];
    $by_information = $_POST['name'];
    $short = $_POST['short'];
    $long_information = $_POST['long'];
    $portal = $_POST['portal'];

// Create connection
$conn = new mysqli($servername, $username, $password, $dbname);
// Check connection
if ($conn->connect_error) {
    die("Connection failed: " . $conn->connect_error);
} 

$sql = "INSERT INTO  $portal (`id`, `title`, `info_bys`, `info_shorts`, `info_longs`) VALUES ('', '$title', '$by', '$short', '$long')";

if ($conn->query($sql) === TRUE) {
    echo "New record created successfully";
} else {
    echo "Error: " . $sql . "<br>" . $conn->error;
}

$conn->close();
?>

`'$_POST[subject]';` is the literal string `'$_POST[subject]';` actually, mind that - and you must quote a string before insertion. All of this if you still want to have unsecured and vulnerable queries, of course — Damien Pirsy, Mar 03 '16 at 09:24
THIS DESIGN IS DANGEROUSLY BROKEN! You are going to be wide open to an SQL injection attack if you continue down this path. https://xkcd.com/327/ — GordonM, Mar 03 '16 at 09:31
by is the reserved word use it like this with `by` i mean ```by`` like this — arif_suhail_123, Mar 03 '16 at 09:32
Why do you have multiple database tables with the exact same structure? — jeoj, Mar 03 '16 at 09:36
Its like a blog that is for teachers, students, parents etc. So it the posts for parents can't be visible for students etc. — Rik Nijdeken, Mar 03 '16 at 09:38
long is also reserved word, escapte that too https://dev.mysql.com/doc/refman/5.5/en/keywords.html — arif_suhail_123, Mar 03 '16 at 09:41

urfusion · Accepted Answer · 2016-03-03T10:24:48.047

-1

$_POST works like an array So you will need to get values from $_POST by his indexs i.e in your case subject,name etc. So Remove ' while assigning the values to variable.

$title = $_POST['subject'];
$by = $_POST['name'];
$short = $_POST['short'];
$long = $_POST['long'];
$portal = strtolower($_POST['portal']);

NOTE : The names 'by,long' are MySQL reserved keywords. So Change them.

Update your SQL from

 $sql = "INSERT INTO $portal (id, title, by, short, long) VALUES ('', '$title', '$by', '$short', '$long')";

TO

 $sql = "INSERT INTO  $portal (`id`, `title`, `info_bys`, `info_shorts`, `info_longs`) VALUES ('', '$title', '$by', '$short', '$long')";

Your sql is vulnerable So use

// prepare and bind
$stmt = $conn->prepare("INSERT INTO  $portal (`title`, `info_bys`, `info_shorts`, `info_longs`) VALUES (?, ?, ?, ?)");
$stmt->bind_param($title, $by, $short, $long);
$stmt->execute();

edited Mar 03 '16 at 10:24

answered Mar 03 '16 at 09:24

urfusion

5,528
5
50
87

Thanks it worked kind of, but now i have a new error, – Rik Nijdeken Mar 03 '16 at 09:28
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'by, short, long) VALUES ('', awcacawdca, acawcac, adawdad, dadadwd)' at line 1 – Rik Nijdeken Mar 03 '16 at 09:28
by which he is using in the column name is a reserved word, my english is short, but he need to escape it – arif_suhail_123 Mar 03 '16 at 09:36
@RikNijdeken : The names 'by,long' are MySQL reserved keywords – urfusion Mar 03 '16 at 09:41
@RikNijdeken : yes. Change `by` to `by_information` and `long` to `long_information`. – urfusion Mar 03 '16 at 09:43
just escape they by using this ` on both sides, long and by – arif_suhail_123 Mar 03 '16 at 09:44
@urfusion tried to edit it, still got the same error. – Rik Nijdeken Mar 03 '16 at 09:48
@arif_suhail_123 could you give me an example of escaping it, im pretty noob – Rik Nijdeken Mar 03 '16 at 09:48
read this link http://stackoverflow.com/questions/17634915/how-to-escape-reserved-mysql-words-in-query-in-php – arif_suhail_123 Mar 03 '16 at 09:50
@RikNijdeken : can you print your query. – urfusion Mar 03 '16 at 09:53
@urfusion okay $sql = "INSERT INTO $portal (id, title, by, short, long) VALUES ('', '$title', '$by', '$short', '$long')"; – Rik Nijdeken Mar 03 '16 at 09:54
Could it be because of the select says Bedrijven with a uppercase B and the mysql table has wih a lowercase b – Rik Nijdeken Mar 03 '16 at 09:55
According to the code I have updated. now it should work. and the query will be like `INSERT INTO portal (`id`, `title`, `info_bys`, `info_shorts`, `info_longs`) VALUES ('', 'sadf', 'name', 'short', 'long')` – urfusion Mar 03 '16 at 09:59
1

Good luck andyway as soon as someone enters a `'` in the title field – Damien Pirsy Mar 03 '16 at 10:05
1

This solution is still dangerously broken! If someone puts a ' in the input then they can still break out of the expected SQL and execute arbitrary SQL commands. Use the proper escaping mechanisms such as mysqli_real_escape_string or prepared statements. Also, there's no way a user should be able to supply a table name. That's dangerous in all kinds of ways. Go back and rethink your design and your data validation. – GordonM Mar 03 '16 at 10:09
1

@RikNijdeken It didn't work, it just gave you a result you were expecting. There's a world of difference. This code is still broken. – GordonM Mar 03 '16 at 10:09
@GordonM it doesnt need to be safe at this point, its still a pilot so i will fix it in the future – Rik Nijdeken Mar 03 '16 at 10:09
@RikNijdeken "We'll do it properly later": The credo of a million broken lines of code – GordonM Mar 03 '16 at 10:11
@GordonM : yes I know this query is vulnerable for sql injections. My first priority was to provide a solution for the user so he can set code in working condition first. – urfusion Mar 03 '16 at 10:13
@urfusion For the reasons I've already mentioned in my comments. At least change `$var = $_POST ['var']` to `$var = mysqli_real_escape_string ($_POST ['var'])` – GordonM Mar 03 '16 at 11:46

WowThatsLoud · Answer 2 · 2016-03-03T13:06:01.070

-2

Dont use variables as strings. Keep it organized and fool proof:

<?php
    $servername = "localhost";
    $username = "a1070rik";
    $password = "";
    $dbname = "portals";
    $title = $_POST['subject'];
    $by = $_POST['name'];
    $short = $_POST['short'];
    $long = $_POST['long'];
    $portal = $_POST['portal'];

// Create connection
$conn = new mysqli($servername, $username, $password, $dbname);
// Check connection
if ($conn->connect_error) {
    die("Connection failed: " . $conn->connect_error);
} 

$portal = $mysqli->real_escape_string($portal);
$title = $mysqli->real_escape_string($title);
$by = $mysqli->real_escape_string($by);
$short = $mysqli->real_escape_string($short);
$long = $mysqli->real_escape_string($long);

$sql = "INSERT INTO `".$portal."` (id, title, by, short, long) VALUES ('', '".$title."', '".$by."', '".$short."', '".$long."')";

if ($conn->query($sql) === TRUE) {
    echo "New record created successfully";
} else {
    echo "Error: " . $sql . "<br>" . $conn->error;
}

$conn->close();
?>

edited Mar 03 '16 at 13:06

answered Mar 03 '16 at 09:41

WowThatsLoud

115
7

2

Good luck andyway as soon as someone enters a `'` in the title field – Damien Pirsy Mar 03 '16 at 10:05
1

This solution is still dangerously broken! If someone puts a ' in the input then they can still break out of the expected SQL and execute arbitrary SQL commands. Use the proper escaping mechanisms such as mysqli_real_escape_string or prepared statements. Also, there's no way a user should be able to supply a table name. That's dangerous in all kinds of ways. Go back and rethink your design and your data validation – GordonM Mar 03 '16 at 10:10
he asked how to make it work, looking at the HTML it's an environment which is controlled, to make it safe he should use a escape string but i doubt that he will know what it is and that will make it harder – WowThatsLoud Mar 03 '16 at 11:16
That's no excuse. Either do it properly or not at all, giving people "solutions" that can lead to dangerous practices is not helping anybody. – GordonM Mar 03 '16 at 11:49

Can't use $_post value as table name for mysql in php

2 Answers2