-1

I want to prevent SQL injection in Question2Answer.

This is how I store data in MySQL via HTML form. I know it's a security risk.

Examples - 

$price = $_POST['price'];

OR

$price = array_key_exists('price', $_POST) ? $_POST['price'] : "";

and SQL query is -

$insertqry = qa_db_query_sub("INSERT INTO test_table (title, price) VALUES ('$title','$price')");

How should I post data in the latest PHP 7 and above version?

I think escaping strings is deprecated or outdated.

Dharman
  • 30,962
  • 25
  • 85
  • 135
site123
  • 41
  • 6
  • 1
    What is `qa_db_query_sub`? That doesn't seem like a function worth trusting, *especially* since you've injected `$_POST` data in the query already. It's too late to fix it. – tadman Mar 31 '20 at 19:28
  • If you're just getting started with PHP and want to build applications, I'd strongly recommend looking at various [development frameworks](https://www.cloudways.com/blog/best-php-frameworks/) to see if you can find one that fits your style and needs. They come in various flavors from lightweight like [Fat-Free Framework](https://fatfreeframework.com/) to far more comprehensive like [Laravel](http://laravel.com/). These give you concrete examples to work from and guidance on how to write your code and organize your project's files. They also come with database layers that solve this problem. – tadman Mar 31 '20 at 19:29
  • Hi tadman ! qa_db_query_sub function is from q2a php script which is pretty secure script from sql injection but i need to add custom data to mysql via php form and i don't know how to secure it. Reference - https://github.com/q2a/question2answer – site123 Mar 31 '20 at 19:45
  • The way you're using it is absolutely **not** safe from SQL injection. There is nothing that thing can do to fix what is already done. I can't easily find any documentation on that function, but in order to use it correctly you *must* use placeholders like `VALUES (#, #)` and pass in the data as separate arguments. **DO NOT** use string interpolation. – tadman Mar 31 '20 at 19:55

1 Answers1

1

Based on what little information I can find you need to use qa_db_query_sub with placeholder values:

 qa_db_query_sub("INSERT INTO test_table (title, price) VALUES ($,$)", $title, $price);

You will want to check with the official documentation, which I can't find, to be sure that's correct.

As a note, if you're trying to build a full application I'm not sure this platform is the best to build on top of. There are a lot of other frameworks that are much better documented and have a lot more community support.

tadman
  • 208,517
  • 23
  • 234
  • 262
  • Thanks for your input. You can see db query reference here. https://github.com/q2a/question2answer/blob/dev/qa-include/db/post-create.php – site123 Mar 31 '20 at 20:05
  • Here is the documentation for this - https://docs.question2answer.org/code/structure/ – site123 Mar 31 '20 at 20:10
  • It looks like the type of placeholder has an effect on the escaping, so `$` is appropriate here. – tadman Mar 31 '20 at 21:38
  • 1
    Hi tadman ! Thanks for clarifying it. Reference --- qa_db_query_sub($query, ...) runs the SQL in $query on the Q2A database after substituting the symbols ^, # and $, returning a PHP result resource. This function is the recommended way to run queries on the Q2A database, and automatically escapes all substituted parameters for safe SQL. The ^ symbol is substituted for the appropriate Q2A table prefix set in qa-config.php, which is qa_ by default. The # and $ symbols are substituted for numerical and UTF-8 string values respectively.....https://docs.question2answer.org/code/functions/ – site123 Mar 31 '20 at 22:37