0

I have a website on which users can enter data to a MySQL database via forms (this data is later shown in the user's profile page) and i'd like to know these data is safe for storing in the database and also for being displayed in a PHP page safely.

Here's the code i'm using for the database connection (db_connection.php):

<?php  
class DBConnection{
        protected $conn;
        protected $servername;
        protected $username ;
        protected $password ;
        protected $dbname;
        public function __construct()
        {  
            try 
            {
                  $this->conn = new PDO("mysql:host=localhost;dbname=databasename;charset=utf8mb4", "databaseuser", "databasepassword"); 
                  $this->conn->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
              }
            catch (Exception $e)
            {
                 echo "Error: " . $e->getMessage();
            }
        }
}
?>

Here is the insert data to the DB function (myfunctions.php):

<?php include 'db_connection.php';
$dbObj=new DBConnection ;

class CrudOp extends DBConnection {

    public function insert($table,$data){
            global $conn;
            ksort ($data);
            $fieldNames = '`'.implode('`, `', array_keys($data)).'`';
            $fieldvalues = "'".implode("','", array_values($data))."'";
            $sql = 'INSERT INTO '.$table.' ('.$fieldNames.') VALUES('.$fieldvalues.')';
            $statement = $this->conn->prepare($sql);
            $statement->execute(); 
          return 'true';        
        }

//function for selecting a record below
    public function select_record($tblfld,$where,$table){
            $sql = "";
            $condition = "";
            foreach ($where as $key => $value) {
            // id = '5' AND m_name = 'something'
            $condition .= $key . "='" . $value . "' AND ";
            }
            $condition = substr($condition, 0, -5);
            $sql .= "SELECT ".$tblfld." FROM ".$table." WHERE ".$condition;
            //print_r($sql);
            $smt = $this->conn->prepare($sql);
            $smt->execute();
            return $smt->fetchAll();
            }

//other functions go here
?>

And here is the code i use on the form pages (formexample.php):

<form name="form" method="post">
<input type="text" name="name">
<input type="text" name="descript">
<button type="submit">Submit</button>
</form>

<?php 
include 'myfunctions.php';
$ops = new CrudOp; 

$name = $_POST["name"];
$descript = $_POST["descript"];

$data = array(
            "name"=>$name,
            "descript"=>$descript,
        );

$ops->insert("tablename",$data);
?>

When any given data is entered via the forms, it is successfully inserted in the database, however, i dont see any special characters being escaped. When i display the data in a page using the select_record function, it generates errors if, for example, a text with quotes was entered via the form. How can i safely store and display the data that was entered via the forms? Thank you in advance

Esquirish
  • 185
  • 1
  • 12
  • 3
    that's not how you prepare data... so the answer is "no" – Flash Thunder Jul 15 '21 at 19:32
  • 1
    Don't sanitize going on, sanitize coming out. There may be reasons why you'd want special characters in the database. – aynber Jul 15 '21 at 19:33
  • 1
    Also don't "sanitize" at all, ensure that your data is properly _encoded_ on output so as to be safe and valid for the chose output format. – Sammitch Jul 15 '21 at 20:12

0 Answers0