0

Hi im really at the beginning of my programming career. I have to program a little website for my school project. I did implement some sort of guestbook on my website and tried to secure the variables that get posted into the db from some sql injection etc.

My input form on the main page guestbook.php: 

< form action="post.php" method="post">
< strong>Name:< /strong><br/> < input type="text" name="name" /><br/>
< strong>Message:< /strong><br/> < textarea name="message" rows="5" 
  cols="25">< /textarea><br/>
< input type="submit" value="send">
</form>

my post method php:

< ?php
require_once 'config.php'; (db connect)
$fields = array("name", "message");

$isOkay = TRUE;


foreach ($fields as $field) {
    if (empty($_POST[$field])) {
        $isOkay = FALSE;
    }
}


if ($isOkay) {
    extract($_POST);

    $now = time();
    if (mysqli_query($db_link,"insert into comments (`name`,message,`timestamp` ) values ('{$name}','$message','{$now}')")) {
        header("Location: guestbook.php");
    } else {
        echo "Can't connect to database.";
    }
} else {
    echo "One or more fields are empty.";
}
?>

Everything works fine and gets posted to my db but if I now add something like this to my code:

$safename = $_POST["name"]; 
$name = mysql_real_escape_string($safename) 
$safemessage = $_POST["message"]; 
$message = mysql_real_escape_string($safemessage)

my variables i try to get into my db are now empty ... probably a dumb mistake somewhere by me but is anyone willing to help me here?

thanks in advance :)

Qirel
  • 25,449
  • 7
  • 45
  • 62
Shouted
  • 11
  • Why do you have spaces here `< ?php`? - and you're mixing APIs here! – Qirel Jul 30 '17 at 13:30
  • You're already using an API that supports **prepared statements** with bounded variable input, you should utilize parameterized queries with placeholders (prepared statements) to protect your database against [SQL-injection](http://stackoverflow.com/q/60174/)! Get started with [`mysqli::prepare()`](http://php.net/mysqli.prepare) and [`mysqli_stmt::bind_param()`](http://php.net/mysqli-stmt.bind-param). – Qirel Jul 30 '17 at 13:30
  • I know this is early days for your project, and I can tell you've already seen the potential problem, but avoid using extract() with data from your client. An attacker could add to the posted data to set any variables he likes this way. – struthersneil Jul 30 '17 at 13:33
  • You should log out the values of $safename and $name to prove that they are what you expect. Then look at your MySQL logs to see how the incoming SQL looks. If it's malformed, then you'll be able to see why. – struthersneil Jul 30 '17 at 13:35

2 Answers2

1

I don't know whether there are other errors, but mysql_real_escape_string should be mysqli_real_escape_string

So your last code sould look like:

$safename = $_POST["name"]; 
$name = mysqli_real_escape_string($db_link, $safename) 
$safemessage = $_POST["message"]; 
$message = mysqli_real_escape_string($db_link, $safemessage)

Other side notes: spaces are not required after < < form can be written as <form, just like <br> can be.

DaniFoldi
  • 451
  • 4
  • 14
-1

you can try with the $_REQUEST global variable. The $_POST variable populated only if the data was "posted" and $_GET is only populated when the HTTP query string is sent. $_REQUEST is populated by both methods.

Sanya Zahid
  • 466
  • 6
  • 18