0

I have an app that takes data from MySQL database and also inserting data into it (the user is writing the data that is getting inserted) and honestly I am pretty new to php and don't know a lot about securing and sanitizing strings, I want to make the php files more secure and I don't know what to look for in order of doing it, if someone can send a tutorial it will be great.

here is the select and insert codes

    <?php
header('Content-Type: text/html; charset=utf-8');

    $db = "*********";
    $username = "*********";
    $password = "*******";
    $host = "************";

$sql = "select * from sample;";


$conn = mysqli_connect($host,$username,$password,$db);

$conn->set_charset('utf8');




$result = mysqli_query($conn,$sql);

$response = array();

while($row = mysqli_fetch_array($result))
{
    array_push($response,array($row[0],$row[1],$row[2]));
}
$str = json_encode(array($response),JSON_UNESCAPED_UNICODE);
$str = clean($str);
echo $str;
mysqli_close($conn);


function clean($string) {
    $string = str_replace(' ', ' ', $string);
    $string = preg_replace('/[^a-zA-Z0-9,×-×–, : . -]/', '', $string);
    return preg_replace('/-+/', '-', $string);
}

?>

and the insert:

<?php

    $db = "*********";
    $username = "*********";
    $password = "*******";
    $host = "************";
$conn = mysqli_connect($server_name,$mysql_username,$mysql_password,$db_name);


$name =$_POST["name"];
$publisher=$_POST["publisher"];
$date=$_POST["date"];


$sql_query = "insert into sample(name,publisher,date)
             values('$name','$publisher','$date');";

if(mysqli_query($conn,$sql_query))
{
echo "data inserted";
}
else
{
echo "error";
}
?>
orisgoofo
  • 53
  • 1
  • 6
  • 3
    Possible duplicate of [What's the best method for sanitizing user input with PHP?](http://stackoverflow.com/questions/129677/whats-the-best-method-for-sanitizing-user-input-with-php) – Mueyiwa Moses Ikomi Dec 07 '16 at 15:56
  • 1
    Use `prepared statements` if you are query stuff with mysqli!! (the extention handels that for you) – JustOnUnderMillions Dec 07 '16 at 16:05
  • Possible duplicate of [How to create a secure mysql prepared statement in php?](http://stackoverflow.com/questions/1290975/how-to-create-a-secure-mysql-prepared-statement-in-php) – EhsanT Dec 07 '16 at 20:56

2 Answers2

0

Use prepared statements any time possible: 

$sql_query = "insert into sample(name,publisher,date) values(?,?,?);";

$stmt = mysqli_prepare($conn,$sql_query);

mysqli_stmt_bind_param( $stmt , "sss" , $name,$publisher,$date);

mysqli_stmt_execute($stmt);

And try to use the object style only, not the procedural of the mysqli extention.

You are mixing both here:

$conn = mysqli_connect($host,$username,$password,$db);//procedural style

$conn->set_charset('utf8');//oject style
JustOnUnderMillions
  • 3,741
  • 9
  • 12
0

You can use PDO. It's very simple to build safe SELECT and INSERT queries. Although, you must be careful on some commands such as ORDER BY.

<?php

$pdo = new PDO('mysql:host=localhost;dbname=databasename;charset=utf8', 'username', 'password');
$statement = $pdo->prepare("SELECT * FROM users WHERE firstname = :firstname AND lastname = :lastname");
$statement->execute(array(':firstname' => 'Max', ':lastname' =>  'Mustermann'));  

if( $statement->rowCount() > 0 ) { 
   $row = $statement->fetch();
   echo "Hello " . $row['firstname'];
}

?>

Mysqli can be used too, but please check out mysqli_real_escape_string.

user3606329
  • 2,405
  • 1
  • 16
  • 28