0

I am unsure if my prepare statement is working correctly or not.

When I fill out my web form, it adds to the database successfully, but is it protected?

<?php
if(isset($_POST['submit']))
{
    /* check no input is left empty */
    if(!empty($_POST['wifi']) && !empty($_POST['ringer']) && !empty($_POST['lock']))
    {
        // Prepare a query for execution
        $result = pg_prepare($db, "query", 'INSERT INTO preferences VALUES ($1, $2, $3, $4)');

        $result = pg_execute($db, "query", array($_GET[imei], $_POST[wifi], $_POST[ringer], $_POST[lock]));


        echo '<script language="javascript">';
        echo 'alert("Submitted successfully. You may now close this window.")';
        echo '</script>';

    } else {
    echo '<script language="javascript">';
    echo 'alert("Please complete the form again, make sure you have filled in all fields.")';
    echo '</script>';
    }
}
?>

The only text field is wifi.

I am using PostgreSQL database.

Is this prepare statement working and protecting my database from attacks properly?

caaax
  • 450
  • 1
  • 5
  • 15
  • 2
    If it inserts into the database, then presumably it's working. What is your question? – miken32 Sep 30 '18 at 00:52
  • 2
    And if you had proper error reporting enabled you'd be getting a bunch of warnings about use of undefined constants. Quote your array indices! – miken32 Sep 30 '18 at 00:53
  • @miken32 my question is simply - is this protecting my database against sql attacks properly? and thanks, are these undefined constants a problem? – caaax Sep 30 '18 at 00:55
  • 1
    If you always separate SQL via `pg_prepare` from data sent per `pg_execute`, then yes, that's alright. Undefined constants are going to become an error with PHP 7.3 – mario Sep 30 '18 at 01:00
  • @mario so what I am doing is fine? What are my constants and how do I define them to fix this – caaax Sep 30 '18 at 01:02
  • 1
    `$_POST['wifi']` is correct. `$_POST[wifi]` is not. – mario Sep 30 '18 at 01:03

0 Answers0