I hope this code sanitation will protect my form inputs against Sql Injection and Phishing $book = mysql_real_escape_string($_POST["book"]); $name = mysql_real_escape_string($_POST["name"]); $order_a = rand(10000,50000); $message=''; $stmt = $mysqli->stmt_init(); if($stmt->prepare("insert into record(book,name,order_a) VALUES (?, ?, ?)")) { $stmt->bind_param('ssssis',$book,$name,$order_a); $stmt->execute(); // Close statement object $stmt->close();
Register and join over 40,000 other developers!
Recent Topics
-
Print specific values from dictionary with a specific key name
Siten0308 - Jun 20 2019 01:43 PM
-
Learn algorithms and programming concepts
johnnylo - Apr 23 2019 07:49 AM
-
Job Gig PHP Form Needed
PJohnson - Apr 18 2019 03:55 AM
-
How to make code run differently depending on the platform it is running on?
xarzu - Apr 05 2019 09:17 AM
-
How do I set a breakpoint in an attached process in visual studio
xarzu - Apr 04 2019 11:47 AM
Recent Blog Entries
Recent Status Updates
Popular Tags
- networking
- Managed C++
- stream
- console
- database
- authentication
- Visual Basic 4 / 5 / 6
- session
- Connection
- asp.net
- import
- syntax
- hardware
- html5
- array
- mysql
- java
- php
- c++
- string
- C#
- html
- loop
- timer
- jquery
- ajax
- javascript
- programming
- android
- css
- assembly
- c
- form
- vb.net
- xml
- linked list
- login
- encryption
- pseudocode
- calculator
- sql
- python
- setup
- help
- game
- combobox
- binary
- hello world
- grid
- innerHTML

5 replies to this topic
#1
Posted 23 September 2012 - 04:19 PM
#2
Posted 23 September 2012 - 07:26 PM
Mutago,
If that code is server side then you are still receiving malversed string parameters as in book and name, cause those paremeters are generated in the html page and the added sql comes from an url intersection and reshape in the middle of its route to your server,
So what you can do is either jump the site to SSL or to add the protection in the page with javascript, obscuring the submit, changing the posted var names and maybe applying some codifcation or CRC to it.
If that code is server side then you are still receiving malversed string parameters as in book and name, cause those paremeters are generated in the html page and the added sql comes from an url intersection and reshape in the middle of its route to your server,
So what you can do is either jump the site to SSL or to add the protection in the page with javascript, obscuring the submit, changing the posted var names and maybe applying some codifcation or CRC to it.
#3
Posted 23 September 2012 - 10:49 PM
Isn't all the SQL injection taken care of with prepared statements in php?Mutago,
If that code is server side then you are still receiving malversed string parameters as in book and name, cause those paremeters are generated in the html page and the added sql comes from an url intersection and reshape in the middle of its route to your server,
So what you can do is either jump the site to SSL or to add the protection in the page with javascript, obscuring the submit, changing the posted var names and maybe applying some codifcation or CRC to it.
#4
Posted 24 September 2012 - 05:41 AM
I believe this is true. The OP shouldn't have to worry about any SQL injection attacks with the code he's written above.Isn't all the SQL injection taken care of with prepared statements in php?
From: http://php.net/manua...-statements.php
Bound variables will be escaped automatically by the server. The server inserts their escaped values at the appropriate places into the statement template before execution. A hint must be provided to the server for the type of bound variable, to create an appropriate conversion. See the mysqli_stmt_bind_param() function for more information.
So the OP doesn't need to call mysql_real_escape_string() at all. By doing so, you possibly end up with doubly-escaped characters. The calls to mysql_real_escape_string() should be left out entirely when using prepared statements.
Mutago,
If that code is server side then you are still receiving malversed string parameters as in book and name, cause those paremeters are generated in the html page and the added sql comes from an url intersection and reshape in the middle of its route to your server,
So what you can do is either jump the site to SSL or to add the protection in the page with javascript, obscuring the submit, changing the posted var names and maybe applying some codifcation or CRC to it.
Javascript validators and obfuscation will not protect against a packet reshape enroute. He still may want to add a little more validation serverside to make sure that the actual contents of the variables make sense in the context of his application, but since the above code is server side, no packet reshaping will ever successfully inject SQL, which is what the OP was concerned with.
Hofstadter's Law: It always takes longer than you expect, even when you take into account Hofstadter's Law.
– Douglas Hofstadter, Gödel, Escher, Bach: An Eternal Golden Braid
#5
Posted 24 September 2012 - 01:46 PM
thanks
#6
Posted 27 September 2012 - 06:07 AM
I believe this is true. The OP shouldn't have to worry about any SQL injection attacks with the code he's written above.
Isn't all the SQL injection taken care of with prepared statements in php?
From: http://php.net/manua...-statements.phpBound variables will be escaped automatically by the server. The server inserts their escaped values at the appropriate places into the statement template before execution. A hint must be provided to the server for the type of bound variable, to create an appropriate conversion. See the mysqli_stmt_bind_param() function for more information.
So the OP doesn't need to call mysql_real_escape_string() at all. By doing so, you possibly end up with doubly-escaped characters. The calls to mysql_real_escape_string() should be left out entirely when using prepared statements.Mutago,
If that code is server side then you are still receiving malversed string parameters as in book and name, cause those paremeters are generated in the html page and the added sql comes from an url intersection and reshape in the middle of its route to your server,
So what you can do is either jump the site to SSL or to add the protection in the page with javascript, obscuring the submit, changing the posted var names and maybe applying some codifcation or CRC to it.
Javascript validators and obfuscation will not protect against a packet reshape enroute. He still may want to add a little more validation serverside to make sure that the actual contents of the variables make sense in the context of his application, but since the above code is server side, no packet reshaping will ever successfully inject SQL, which is what the OP was concerned with.
Isn't all the SQL injection taken care of with prepared statements in php?
Mutago,
If that code is server side then you are still receiving malversed string parameters as in book and name, cause those paremeters are generated in the html page and the added sql comes from an url intersection and reshape in the middle of its route to your server,
So what you can do is either jump the site to SSL or to add the protection in the page with javascript, obscuring the submit, changing the posted var names and maybe applying some codifcation or CRC to it.
Yes that is true. I still
I believe this is true. The OP shouldn't have to worry about any SQL injection attacks with the code he's written above.
Isn't all the SQL injection taken care of with prepared statements in php?
From: http://php.net/manua...-statements.phpBound variables will be escaped automatically by the server. The server inserts their escaped values at the appropriate places into the statement template before execution. A hint must be provided to the server for the type of bound variable, to create an appropriate conversion. See the mysqli_stmt_bind_param() function for more information.
So the OP doesn't need to call mysql_real_escape_string() at all. By doing so, you possibly end up with doubly-escaped characters. The calls to mysql_real_escape_string() should be left out entirely when using prepared statements.Mutago,
If that code is server side then you are still receiving malversed string parameters as in book and name, cause those paremeters are generated in the html page and the added sql comes from an url intersection and reshape in the middle of its route to your server,
So what you can do is either jump the site to SSL or to add the protection in the page with javascript, obscuring the submit, changing the posted var names and maybe applying some codifcation or CRC to it.
Javascript validators and obfuscation will not protect against a packet reshape enroute. He still may want to add a little more validation serverside to make sure that the actual contents of the variables make sense in the context of his application, but since the above code is server side, no packet reshaping will ever successfully inject SQL, which is what the OP was concerned with.
I agree 100%. Also you could add a bit of code like this to check for invalid or suspicious input to create a security hook of some sort.
if (preg_match("/[;'\{\}\+\=\[\]\'\;\-\?\<\>\:\;\"\"\*\&\%\$\#\(\)]/", $_POST['book'], $matches)) { $error = "illegal input "; exit; }
"The question of whether a computer can think is no more interesting than the question of whether a submarine can swim." (Edsger Dijkstra)
Also tagged with one or more of these keywords: bind_param
![]() |
Language Forums →
PHP →
[SOLVED] Mysqli Query About Is Empty Table Or Not?Started by Stasonix, 08 Jun 2012 ![]() |
|
![]() |
|
Language Forums →
PHP →
Creating An Object For Each Row From Db Result.Started by Dorgon, 27 May 2012 ![]() |
|
![]() |
||
Language Forums →
PHP →
Mysqli - How To Fetch An Object Or Array From Record, "select * From `table` Where `id`=?";Started by Stasonix, 09 May 2012 ![]() |
|
![]() |
||
Language Forums →
C and C++ →
Expected Primary-ExpressionStarted by agnl666, 17 Apr 2012 ![]() |
|
![]() |
||
Language Forums →
PHP →
Prepared statement problemStarted by Rohan21, 02 Jan 2012 ![]() |
|
![]() |
Recommended from our users: Dynamic Network Monitoring from WhatsUp Gold from IPSwitch. Free Download