stackoom
  简体   繁体   中英

Secure php and sql when selecting and inserting data

 原文  2016-12-07 15:49:45       php/ mysql/ sql/ security/ sanitize

Question

I have an app that takes data from MySQL database and also inserting data into it (the user is writing the data that is getting inserted) and honestly I am pretty new to php and don't know a lot about securing and sanitizing strings, I want to make the php files more secure and I don't know what to look for in order of doing it, if someone can send a tutorial it will be great.

here is the select and insert codes 

    <?php
header('Content-Type: text/html; charset=utf-8');

    $db = "*********";
    $username = "*********";
    $password = "*******";
    $host = "************";

$sql = "select * from sample;";


$conn = mysqli_connect($host,$username,$password,$db);

$conn->set_charset('utf8');




$result = mysqli_query($conn,$sql);

$response = array();

while($row = mysqli_fetch_array($result))
{
    array_push($response,array($row[0],$row[1],$row[2]));
}
$str = json_encode(array($response),JSON_UNESCAPED_UNICODE);
$str = clean($str);
echo $str;
mysqli_close($conn);


function clean($string) {
    $string = str_replace(' ', ' ', $string);
    $string = preg_replace('/[^a-zA-Z0-9,×-×–, : . -]/', '', $string);
    return preg_replace('/-+/', '-', $string);
}

?>

and the insert: 

<?php

    $db = "*********";
    $username = "*********";
    $password = "*******";
    $host = "************";
$conn = mysqli_connect($server_name,$mysql_username,$mysql_password,$db_name);


$name =$_POST["name"];
$publisher=$_POST["publisher"];
$date=$_POST["date"];


$sql_query = "insert into sample(name,publisher,date)
             values('$name','$publisher','$date');";

if(mysqli_query($conn,$sql_query))
{
echo "data inserted";
}
else
{
echo "error";
}
?>

2 answers

solution1
 0  2016-12-07 16:10:34

Use prepared statements any time possible: 

$sql_query = "insert into sample(name,publisher,date) values(?,?,?);";

$stmt = mysqli_prepare($conn,$sql_query);

mysqli_stmt_bind_param( $stmt , "sss" , $name,$publisher,$date);

mysqli_stmt_execute($stmt);

And try to use the object style only, not the procedural of the mysqli extention.

You are mixing both here: 

$conn = mysqli_connect($host,$username,$password,$db);//procedural style

$conn->set_charset('utf8');//oject style

solution2
 0  2016-12-07 16:11:38

You can use PDO. It's very simple to build safe SELECT and INSERT queries. Although, you must be careful on some commands such as ORDER BY. 

<?php

$pdo = new PDO('mysql:host=localhost;dbname=databasename;charset=utf8', 'username', 'password');
$statement = $pdo->prepare("SELECT * FROM users WHERE firstname = :firstname AND lastname = :lastname");
$statement->execute(array(':firstname' => 'Max', ':lastname' =>  'Mustermann'));  

if( $statement->rowCount() > 0 ) { 
   $row = $statement->fetch();
   echo "Hello " . $row['firstname'];
}

?>

Mysqli can be used too, but please check out mysqli_real_escape_string.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Selecting data from two tables, inserting it into new table? (SQL / PHP) Why is my php producing error when inserting data into SQL server? Error when inserting data into table in sql using php form Problems with serialize() and unserialize() - inserting and selecting data PHP MySQL Correction on Inserting data into SQL Table via PHP for each loop PHP, insert into SQL not inserting data Inserting POST data in my sql using PHP Issue with inserting data into SQL using PHP Selecting data from SQL Server Using PHP PHP | SQL syntax error when inserting array
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM