Prevent code being executed in an input form

Question

I have been looking around loads for this. But nothing seems to be working. I have this input form for a forum. However, i am aware that you can input code from html to SQL. I was wondering how i can prevent this as obviously this would be devastating for someone to be able to use. Thanks for any help and suggestions.

<form id="form1" name="form1" method="post" action="add_topic.php">
<table>
<tr>
<td><strong>Create New Topic</strong></td>
</tr>
<tr>
<td><strong>Topic</strong></td>
<td><textarea maxlength="140" name="topic" type="text" id="topic" size="50" required/></textarea></td>
</tr>
<tr>
<td><strong>Detail</strong></td>
<td><textarea maxlength="655" name="detail" cols="50" rows="3" id="detail" required></textarea></td>
</tr>
<tr style="display: none;">
<td><strong>Name</strong></td>
<td><input name="name" type="text" id="name" size="50" value="<?php echo $_SESSION['username'];?>" readonly/></td>
</tr>
<tr>
<td>&nbsp;</td>
<td><input class="submit" type="submit" name="Submit" value="Submit" /> <input class="submit2" type="reset" style="float: right;" name="Submit2" value="Delete All" /></td>
</tr>
</table>
</td>
</form>

How can i implement something to this code to prevent code being submitted in my form that can affect my website. Thanks.

https://www.owasp.org/index.php/SQL_Injection_Prevention_Cheat_Sheet — cptwonton, Jan 26 '18 at 18:08
Thank you, however unfortunately im pretty new to programming so that means nothing to me lol. Could do with an explanation in simple English — Bradley Coupland, Jan 26 '18 at 18:11
here's a more easy to read one :https://www.w3schools.com/php/php_forms.asp — cptwonton, Jan 26 '18 at 18:18

score 1 · Answer 1 · answered Jan 26 '18 at 18:21

From user interface anything is possible, you should treat the code on server with some formatters (preg_replace,hashing etc).

and finish it with some ORM to do some “prepared statements” on sql. it will format and prepare your input to avoid something like

"select x from y where $filter"

ll come with

"select x from y where col01 = :val1 and col02 = :val2"

an example with php:

<?php
 $pdo = new PDO('mysql:host=localhost;dbname=crud', 'root', '');
 $stmt = $pdo->prepare('select * from agenda where nome = :nome');
 $stmt->bindValue(':nome', 'kalil');
 $run = $stmt->execute();
 $result = $stmt->fetchAll(PDO::FETCH_ASSOC);
var_dump($result);
?>

to HTML5 you can format to a better visual:

<form action="/action_page.php">
Country code: <input type="text" name="country_code" 
pattern="[A-Za-z]{3}" title="Three letter country code">
<input type="submit">
</form>

In Ajax, Jquery :

i think you can see A simple jQuery form validation script, its very good

Dont really understand what youre saying here... All a bit complex and doesnt really make sense — Bradley Coupland, Jan 26 '18 at 18:42

Shiva Kishore · Accepted Answer · 2018-01-27T16:42:05.447

1

Ideally you should make changes in the server side not the client side ie HTML.

so you should use prepared statements to build the sql query that will automatically escape the input so that it will not execute the sql commands that is given by the user. for PHP you can do somthing like with mysqli

$stmt = $dbConnection->prepare('SELECT * FROM employees WHERE name = ?');
$stmt->bind_param('s', $name); // 's' specifies the variable type => 'string'

$stmt->execute();

Update for XSS

The above Code is to prevent Sql Injection. If you are displaying the content from Db to front-end (Browser), You can escape HTML chars and store in Db so that it will prevent XSS also

$stmt = $dbConnection->prepare('SELECT * FROM employees WHERE name = ?');
$stmt->bind_param('s', htmlspecialchars($name) ); // 's' specifies the variable type => 'string'

$stmt->execute();

Happy coding

edited Jan 27 '18 at 16:42

answered Jan 26 '18 at 18:22

Shiva Kishore

1,611
12
29

I get a parse error: unexpected "" on the line: $sql = $con->prepare "INSERT INTO $tbl_name(topic, detail, name, datetime)VALUES('$topic', '$detail', '$name', '$datetime')"; – Bradley Coupland Jan 26 '18 at 18:41
1

I am not a php dev. with that being said, i think you missed the parentheses after prepare $sql = $con->prepare("INSERT INTO $tbl_name(topic, detail, name, datetime)VALUES('$topic', '$detail', '$name', '$datetime')"); – Shiva Kishore Jan 26 '18 at 18:46
1

this should help for understanding prepared statements https://www.w3schools.com/php/php_mysql_prepared_statements.asp – Shiva Kishore Jan 26 '18 at 18:49
Hey so i implemented it, however, when i input something like they can still change the background color. Here is my code. It doesn't affect anything: $stmt = $con->prepare("INSERT INTO $tbl_name(topic, detail, name, datetime)VALUES(?, ?, ?, ?)"); $stmt->bind_param("ssss", $topic, $detail, $name, $datetime); $stmt->execute(); if($stmt){... more code you dont need} – Bradley Coupland Jan 26 '18 at 19:28
1

Hi so we were focussing on Sql injection, But the scenario that you are describing is a part of XSS attack so you need to do something like this `$stmt->bind_param("ssss", htmlspecialchars($topic), htmlspecialchars($detail), htmlspecialchars($name), htmlspecialchars($datetime));` – Shiva Kishore Jan 26 '18 at 19:50
You legend if you can put that in your answer i will write it off as an answer!!! Thank you very much! – Bradley Coupland Jan 27 '18 at 14:13
Please accept the answer if the answer provided the solution for the question. Thanks – Shiva Kishore Jan 27 '18 at 14:48
Brilliant thank you very much! Really appreciate the help – Bradley Coupland Jan 28 '18 at 14:27

Prevent code being executed in an input form

2 Answers2

Update for XSS