0

Having trouble figuring out my error. Trying to scrub form data before I submit for SQL injections, and I am not getting any information to pass through to database. I have everything in one document, and the form-action is referencing the right page. I have also triple-checked the DB table, and it is correct as well. Also, if you have any other suggestions for SQL injection handling, it would be appreciated.

 <?php
 if(isset($_POST['submit'])) {
 //database connection
 include_once("include-php/db-conx-local.php");
 //gather variables from form and scrub
 $name = preg_replace('#[^a-z0-9]#i', 3'', $_POST['name']);
 $email = mysqli_real_escape_string($db_conx, $_POST['email']);
 $subject = preg_replace('#[^a-z0-9]#i', '', $_POST['subject']);
 // Function to get the client IP address
 $ip = getenv('HTTP_CLIENT_IP')?:
        getenv('HTTP_X_FORWARDED_FOR')?:
        getenv('HTTP_X_FORWARDED')?:
        getenv('HTTP_FORWARDED_FOR')?:
        getenv('HTTP_FORWARDED')?:
        getenv('REMOTE_ADDR');

 // FORM DATA ERROR HANDLING
 if($name == "" || $email == "" || $subject == ""){
    echo "Please fill out the entire form.";
    exit();
 } else {

    $sql = "INSERT INTO emailContactForm (name, email, subject, ip, postDate)
    VALUES ('$name', '$email', '$subject', '$ip', now())";
    mysqli_query($db_conx, $sql);
 }
 exit();
 }

 ?>

<form action="contact.php" method="post" id="contact-form">
            <div class="input-prepend">
                <span class="add-on"><i class="icon-user"></i></span>
                <input class="span4" id="name" name="name" size="16"
type="text" placeholder="Name">
            </div>
            <div class="input-prepend">
                <span class="add-on"><i class="icon-envelope"></i></span>
                <input class="span4" id="email" name="email" size="16"
type="text" placeholder="Email Address">
            </div>
            <textarea class="span6" id="subject" name="subject"></textarea>
            <div class="row">
                <div class="span2">
                    <input type="submit" id="submit" class="btn btn-inverse"
value="Send Message">
                </div>
            </div>
        </form>
Danger
  • 3
  • 5
  • Instead of using Mysqli , use PDO (http://php.net/manual/en/book.pdo.php). It does all the validations for injections on its own. – Cagy79 Feb 09 '17 at 22:39
  • Use [prepared parameterized statements](http://php.net/manual/en/mysqli.quickstart.prepared-statements.php) – RiggsFolly Feb 09 '17 at 22:45
  • @Cagy79 It is not only PDO that can use Prepared and Parameterised queries. And it is not good to make it look like PDO does it all by magic. It too requires you to use Prepared and Parameterised queries to protect against SQL Injection – RiggsFolly Feb 09 '17 at 22:47
  • What replacement are you doing with name? – RST Feb 09 '17 at 22:59
  • disregard the '3' in that line. typo, Just trying to limit the characters to letters and numbers for name. – Danger Feb 09 '17 at 23:00
  • Echo out all the variables after you have Fiddled with them and see what the results of that are. That may well explain your issues – RiggsFolly Feb 09 '17 at 23:01

0 Answers0