-1

I have an form which sends some data to an success page, and there they are inserted in a database.

Therefore I don't have control of what there is in the data from the form. And if the user uses single quotes the data doesn't get to the database. How can I secure the user don't use single quotes in the form?

Here is my code:

$details = $this->getDetails();
$conferance_name = $details['product_name'];
$hotel = $details['hotelval'];
$datefor = $details['dateval'];
$ogtitel = $details['navn_title'];
$virksomhed = $details['virksomhed'];
$adresse = $details['adresse'];
$postnr = $details['postnr'];
$by = $details['by'];
$telefon = $details['telefon'];
$email = $details['email'];
$kommentarer = $details['kommentarer'];
$ean = $details['ean'];
$entries = $details['entries'];
$newdate = date('Y-m-d')


$conn = Mage::getSingleton('core/resource')->getConnection('core_write');
$sql = "INSERT INTO mage_emailorder (emailorder_id, order_date, product_name, location, date_for, name_title, email, company, adress, zipcode, city, phone, ean, comment, order_done, number_of_entries)
VALUES (NULL, '$newdate', '$conferance_name', '$hotel', '$datefor', '$ogtitel', '$email', '$virksomhed', '$adresse', '$postnr', '$by', '$telefon', '$ean', '$kommentarer', '0', '$entries')";

All the variables are from a form, and I want to secure the form, from special symbols.

Peter Mortensen
  • 30,738
  • 21
  • 105
  • 131
Patrick Knudsen
  • 281
  • 1
  • 3
  • 12
  • 2
    Sounds like you're inserting the data straight into the SQL, which means you're vulnerable to SQL injection. Use [prepared statements](http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php) – frosty Mar 08 '16 at 12:14
  • 1
    @Desas *no*. Never. `addslashes()` does *not* make a string safe for insertion in a database. – Pekka Mar 08 '16 at 14:14
  • This question needs more context and code. Can you explain what technology you are using, and possibly show some relevant bits from your code (like the insert query)? – Pekka Mar 08 '16 at 14:15
  • http://stackoverflow.com/questions/881194/how-to-escape-special-character-in-mysql/881208#881208 – Hamza Zafeer Mar 08 '16 at 14:17
  • 1
    @Desas - it's not 1999. any more, so no, no `addslashes` if you insert data with php. – Mjh Mar 08 '16 at 14:27
  • If the user input is valid even if it contains those kinds of characters, follow the logic from @HamzaZafeer post reference. If not, implement your validation logic and notify the user of any invalid inputs. – EduardoCMB Mar 08 '16 at 20:34
  • > How can I secure the user don't use single quotes in the form? As developers,never trust any user inputs, you should expect the worst from them. – Ikhlak S. Mar 18 '16 at 18:46

1 Answers1

0

You've just discovered an SQL Injection vulnerability. Please fix your code; that's not just a bug, it's a major security hole.

https://www.owasp.org/index.php/SQL_Injection

eftpotrm
  • 2,241
  • 1
  • 20
  • 24