-3

I have the following code in my index.php : 

<?php
  if(isset($_POST["value"])) {
     $conn = new mysqli("localhost", "user", "pw", "database");
     $sql = "INSERT INTO table (`value`) VALUES ('".mysql_real_escape_string($_POST["value"])."')";
     if ($conn->query($sql) === TRUE) {
        echo "Value inserted.";
     } 
     $conn->close(); 
   }
?> 
<body>
    <form action="index.php" method="post">
    <input placeholder="example" class="inputfield" type="text" name="value" />
    <button class="button" type="submit"> Submit </button>
    </form>
</body>

How can i prevent that someone inserts whatever he likes into the database by sending a post request like this: 

localhost/index.php?value=whatever

Help is appreciated.

EDIT: Question was solved: it is not possible for an user to put url parameters if server is using "post" requests.

videokate
  • 87
  • 8
  • Possible duplicate https://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php – Lets-c-codeigniter Oct 19 '19 at 13:13
  • 2
    Possible duplicate of [How can I prevent SQL injection in PHP?](https://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php) – Dharman Oct 19 '19 at 13:17
  • You are accepting POST request in your code, but want to prevent GET. He can not insert it using get with this code. You should look up a little about SQL injections and form submitting. – equi Oct 19 '19 at 13:19
  • Thank you @equi Looking up and understanding the difference bewteen POST and GET solved my issue. – videokate Oct 19 '19 at 13:31

1 Answers1

0

You are accepting POST request in your code, but want to prevent GET. He can not insert it using get with this code. You should look up a little about SQL injections and form submitting

equi
  • 729
  • 8
  • 19