0

I have a problem with adding some text from my site if that text contain some symbols like (", ? , script, or some sql tags ) ..

Here is a little bit of code,hope this is enough :)

    if(isset($_POST['submit_achievement'])){
    $title = $_POST['title_field'];
    $description = $_POST['description_field'];
    $sql2 = 'INSERT INTO achievements (title,description) VALUES (' . '"' .$title . '"'. "," . '"' . $description . '"' . ')';
    $records2 = mysqli_query($conn,$sql2);
}

If you need any more line from my code just write,thanks a lot! :)

chris85
  • 23,846
  • 7
  • 34
  • 51
Teshma
  • 15
  • 4
  • 1
    now is a perfect time to read up on [How can I prevent SQL injection in PHP?](http://stackoverflow.com/a/60496/689579). Learning how to use prepared statements and parameterized queries (see example 2 in the selected answer) will help fix your error. – Sean Nov 25 '16 at 22:01
  • Wide open to SQL injection attacks –  Nov 25 '16 at 22:02
  • 1
    Possible duplicate of [How can I prevent SQL injection in PHP?](http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php) – chris85 Nov 25 '16 at 22:14

1 Answers1

1

The problem here is you're not using prepared statements and you're not escaping things properly, so some symbols conflict with SQL. In general terms this means you're vulnerable to SQL injection bugs.

Switch to using parameterized queries and bind_param to fix this issue:

$stmt = mysqli_prepare($conn, "INSERT INTO achievements (title, description) VALUES (?,?)");

$stmt->bind_param("ss", $_POST['title_field'], $_POST['description_field']);

As a note, try to avoid putting redundant things in names like _field. It's presumed to be a field if it's in a form submission.

tadman
  • 208,517
  • 23
  • 234
  • 262