-2

I have the following PHP script that executes an sql update query, how can I prevent it from being executed until the two POST values are not empty?

try {
    $conn = new PDO("mysql:host=$servername;dbname=$dbname", $username, $password);
    // set the PDO error mode to exception
    $conn->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);

    $delivery_time = addslashes($_POST['delivery_time']);
    $customer = addslashes($_POST['customer']);

    $sql = "UPDATE Equipment SET time = '$time', customer = '$customer' WHERE status ='Broken' ";

    // Prepare statement
    $stmt = $conn->prepare($sql);

    // execute the query
    $stmt->execute();

    // echo a message to say the UPDATE succeeded
    echo $stmt->rowCount() . " records UPDATED successfully";
    }
catch(PDOException $e)
    {
    echo $sql . "<br>" . $e->getMessage();
    }

$conn = null;
Dharman
  • 30,962
  • 25
  • 85
  • 135
  • 2
    Um, by adding validation that checks for null values and blocks it until they are not? – John Conde Jun 20 '19 at 20:37
  • 2
    Please read about **[SQL injection](https://en.wikipedia.org/wiki/SQL_injection)**. Instead of building queries with string concatenation, use **[prepared statements](https://secure.php.net/manual/en/pdo.prepare.php)** with **[bound parameters](https://secure.php.net/manual/en/pdostatement.bindparam.php)**. See **[this page](https://phptherightway.com/#databases)** and **[this post](https://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php)** for some good examples. – John Conde Jun 20 '19 at 20:37
  • Ohh, I read the question wrong again... anyway you should prevent SQL injection in the first place. – Dharman Jun 20 '19 at 20:40
  • Wrap all the code in `if(!empty($_POST['delivery_time']) && !empty($_POST['customer']))` – Barmar Jun 20 '19 at 20:41
  • I have tried to prevent sql injection using PDO, this was my initial post but I kept running into errors using the answer given, If someone can please take a look at this: https://stackoverflow.com/questions/56690184/how-to-add-a-post-request-for-all-inputs-in-pdo-php/56690265#56690265 –  Jun 20 '19 at 20:45
  • 1
    No wonder, that answer was pretty bad. – Dharman Jun 20 '19 at 20:47

1 Answers1

0

Warning: You are wide open to SQL Injections and should really use parameterized prepared statements instead of manually building your queries. They are provided by PDO or by MySQLi. Never trust any kind of input, especially that which comes from the client side. Even when your queries are executed only by trusted users, you are still in risk of corrupting your data.

To avoid sending the query until $_POST variables are supplied check for their existence with if statement and isset.

if (isset($_POST['delivery_time'], $_POST['customer'])) {
    $conn = new PDO("mysql:host=$servername;dbname=$dbname", $username, $password);
    // set the PDO error mode to exception
    $conn->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
    $conn->setAttribute(PDO::ATTR_EMULATE_PREPARES, false); // switch off emulated prepares, but you should add charset=utf8mb4 in the contructor above too

    $sql = "UPDATE Equipment SET `time` = ?, `customer` = ? WHERE `status` ='Broken' ";

    // Prepare statement
    $stmt = $conn->prepare($sql);

    // execute the query
    $stmt->execute([
        $_POST['delivery_time'],
        $_POST['customer']
    ]);

    // echo a message to say the UPDATE succeeded
    echo $stmt->rowCount() . " records UPDATED successfully";
}
Dharman
  • 30,962
  • 25
  • 85
  • 135