1

my question is updating. my new question is this;

  <?php

    header('Access-Control-Allow-Origin: *');
    header('Access-Control-Allow-Headers: X-Requested-With');
    header('Access-Control-Allow-Headers: Content-Type');
    header('Access-Control-Allow-Methods: POST,GET,OPTIONS,DELETE,PUT');

    header('Cache-Control:public, max-age=100');

    if ($db = ibase_connect('111.222.333.444:C:\xx\xx\xx\xx\xx\xx.FDB', 'SYSDBA',
      'masterkey')) {



        $sql = "select * from STOK where barkodu='$barkodu'";

        $query =  ibase_prepare($sql);
        $rs=ibase_execute($query);


        if($row = ibase_fetch_row($rs)){

        $stok_adi = $row[2];

        $sonuc->stok_adi = $stok_adi;

      }

        ibase_close($db);

      } 
      else {
        $sonuc->durum = "cevapyok";
        }
      echo json_encode($sonuc);


    ibase_free_query($query);
    ibase_free_result($rs);
 ?>

There is my codes, its working normally with;

$sql = "select * from STOK";

But i want this;

$sql = "select * from STOK where barkodu='$barkodu'";

How can i get $barkodu with http post from external ? Thanks.

By the way; i have changed my ip adress with 111.222.333.444 and my database location with C:\xx\xx\xx\xx\xx\xx.FDB for my safety

kalememre
  • 406
  • 3
  • 14
  • Your question is far too broad and expects us to do the work for you. Start with reading https://secure.php.net/manual/en/book.ibase.php and then transform your code to do the equivalent using `ibase`. If you get stuck, ask a specific question. – Mark Rotteveel Sep 15 '18 at 14:45
  • i already transformed my codes, i have a php file with written ibase codes, i just only need how can i get variable string with http get. " $barkodu " – kalememre Sep 15 '18 at 15:04
  • Then you should edit your question, show what you did with Firebird, and describe the problem in more detail. If you use Firebird properly, then you use parameterized queries, and then escaping should not be necessary. – Mark Rotteveel Sep 15 '18 at 15:29
  • edited, please check – kalememre Sep 15 '18 at 15:48

1 Answers1

0

Warning: I don't normally program in PHP, this answer is based on reading the documentation and my knowledge of Firebird.

Your current code is unsafe and vulnerable to SQL injection. Instead of using string interpolation to put your value directly into the query string, you should use a parameterized query instead.

That is, you need to change your code to:

$sql = "select * from STOK where barkodu=?";

$query = ibase_prepare($sql);
$rs = ibase_execute($query, $barkodu);

Or, given you're not reusing the query:

$sql = "select * from STOK where barkodu=?";
$rs = ibase_query($sql, $barkodu);

See also

If your question instead is how to get the parameter from a form post, then I suggest you look at How to get input field value using PHP, or search for a tutorial on how to get form values using PHP; however that is a problem not directly related to Firebird (nor MySQL).

Mark Rotteveel
  • 100,966
  • 191
  • 140
  • 197