excelmaster Posted May 9, 2014 Share Posted May 9, 2014 Hello all, Newbie here....and I've tried a number of differet ways (using the code included below) to incorporate the "mysqli_real_escape_string" function into my code but have been unsuccessful. How (or shoudl I say where) would I include this function, in order to be able to have my data inserted correctly, whilst also avoiding a potential SQL injection attack? Appreciate all the help you guys provide here on this wonderful forum. <!doctype html> <html lang="en"> <head> <meta name="viewport" content="width=device-width, initial-scale=1.0, maximum-scale=1.0, user-scalable=0" /> <title>Shopping List WebApp</title> <!-- Latest compiled and minified CSS --> <link rel="stylesheet" href="//netdna.bootstrapcdn.com/bootstrap/3.1.1/css/bootstrap.min.css"> <link rel="stylesheet" type="text/css" href="default.css"> <link href="demo.css" type="text/css" rel="stylesheet"> <link rel="stylesheet" type="text/css" media="all" href="style.css" /> <!-- Optional theme --> <link rel="stylesheet" href="//netdna.bootstrapcdn.com/bootstrap/3.1.1/css/bootstrap-theme.min.css"> <!-- jQuery --> <script src="//code.jquery.com/jquery-1.11.1.min.js"></script> <!-- Latest compiled and minified JavaScript --> <script src="//netdna.bootstrapcdn.com/bootstrap/3.1.1/js/bootstrap.min.js"></script> <link rel="stylesheet" href="//code.jquery.com/ui/1.10.4/themes/smoothness/jquery-ui.css"> <script src="//code.jquery.com/jquery-1.10.2.js"></script> <script src="//code.jquery.com/ui/1.10.4/jquery-ui.js"></script> <link rel="stylesheet" href="/resources/demos/style.css"> <script> // Function to return user to same tab/function after POST/SUBMIT $(document).ready(function(){ $('a[href="' + window.location.hash + '"]').click(); }); </script> <script> // Function to display a calendar for DATE selection $(function() { $( "#datepicker" ).datepicker(); }); </script> </head> <body> <!-- <div class="container"> --> <div class="wrapper"> <div class="body_wrapper"> <div class="row"> <div class="page-header"> <h1>Stores List WebApp</h1> </div> </div> <?php $mysqli = new mysqli('localhost', 'blah', 'blah-blah-blah', 'blah'); if ($mysqli->connect_error) { die('Connect Error (' . $mysqli->connect_errno . ') ' . $mysqli->connect_error); } if(isset($_REQUEST["action"])){ switch($_REQUEST["action"]){ case "insert": $SQL="INSERT INTO stores (store_name, store_description) VALUES ("; $SQL=$SQL."'" . $_REQUEST["store_name"] . "',"; $SQL=$SQL."'" . $_REQUEST["item_description"] . "',"; $SQL=$SQL.");"; if ($mysqli->query($SQL)=== FALSE) { printf("Error – Unable to insert data to table " . $mysqli->error); } break; case "delete": if(isset($_REQUEST['delete-selected'])) { $SQL="DELETE FROM shoplist WHERE"; for($i=0; $i < count($_REQUEST['checkboxes']); $i++){ $SQL=$SQL . " idnumber=" . $_REQUEST['checkboxes'][$i] . " or"; } $SQL= rtrim($SQL, "or"); if ($mysqli->query($SQL)== FALSE) { echo '<div class="highlight-error">Error: Unable to delete value (perhaps you have not selected anything to delete!)</div>'; } break; } else if(isset($_REQUEST['delete-all'])) { $SQL="DELETE FROM shoplist"; if ($mysqli->query($SQL)== FALSE) { echo '<div class="highlight-error">Error: Unable to delete value (perhaps there is nothing to delete!)</div>'; } break; } case "update": if(isset($_REQUEST['highlight-purchased'])) { $SQL="UPDATE shoplist SET purchased = 'Y' WHERE"; for($i=0; $i < count($_REQUEST['checkboxes']); $i++){ $SQL=$SQL . " idnumber=" . $_REQUEST['checkboxes'][$i] . " or"; } $SQL= rtrim($SQL, "or"); if ($mysqli->query($SQL)== FALSE) { echo '<div class="highlight-error">Error: Unable to update value (perhaps you have not selected anything to update!)</div>'; } else { // echo mysqli_affected_rows($mysqli). ' Records UPDATED successfully<br />'; } break; } else if(isset($_REQUEST['highlight-later'])) { $SQL="UPDATE shoplist SET later_in_week = 'Y' WHERE"; for($i=0; $i < count($_REQUEST['checkboxes']); $i++){ $SQL=$SQL . " idnumber=" . $_REQUEST['checkboxes'][$i] . " or"; } $SQL= rtrim($SQL, "or"); if ($mysqli->query($SQL)== FALSE) { echo '<div class="highlight-error">Error: Unable to update value (perhaps you have not selected anything to update!)</div>'; } else { // echo mysqli_affected_rows($mysqli). ' Records UPDATED successfully<br />'; } break; } else if(isset($_REQUEST['highlight-remove-purchased'])) { $SQL="UPDATE shoplist SET purchased = 'N' WHERE"; for($i=0; $i < count($_REQUEST['checkboxes']); $i++){ $SQL=$SQL . " idnumber=" . $_REQUEST['checkboxes'][$i] . " or"; } $SQL= rtrim($SQL, "or"); if ($mysqli->query($SQL)== FALSE) { echo '<div class="highlight-error">Error: Unable to update value (perhaps you have not selected anything to update!)</div>'; } else { // echo mysqli_affected_rows($mysqli). ' Records UPDATED successfully<br />'; } break; } else if(isset($_REQUEST['highlight-remove-later'])) { $SQL="UPDATE shoplist SET later_in_week = 'N' WHERE"; for($i=0; $i < count($_REQUEST['checkboxes']); $i++){ $SQL=$SQL . " idnumber=" . $_REQUEST['checkboxes'][$i] . " or"; } $SQL= rtrim($SQL, "or"); if ($mysqli->query($SQL)== FALSE) { echo '<div class="highlight-error">Error: Unable to update value (perhaps you have not selected anything to update!)</div>'; } else { // echo mysqli_affected_rows($mysqli). ' Records UPDATED successfully<br />'; } break; } } } ?> <div class="row"> <!-- Nav tabs --> <ul class="nav nav-tabs"> <li class="active"><a href="#add" data-toggle="tab">Add</a></li> <li><a href="#update" data-toggle="tab">Update/View</a></li> <li><a href="#delete" data-toggle="tab">Delete/View</a></li> <li><a href="#search" data-toggle="tab">Search/View</a></li> </ul> <!-- Tab panes --> <div class="tab-content"> <div class="tab-pane active" id="add"> <h3>Add Items:</h3> <p>Use this section to add new item(s).</p> <!-- <form action="#add"> --> <form class="add-data-form" id="add-data-form" action="#add" method="POST"> <input type="hidden" name="action" value="insert" /> <div class="full-row"> <div class="field-label"> Store Name: </div> <select class="store-name" name="store_name"> <option value="No Frills">No Frills</option> <option value="Super Store">Super Store</option> <option value="Food Basics">Food Basics</option> <option value="Freshco">Freshco</option> <option value="Wal Mart">Wal Mart</option> <option value="Giant Tiger">Giant Tiger</option> <option value="Foodland">Foodland</option> <option value="Metro">Metro</option> <option value="Sobeys">Sobeys</option> <option value="SDM">Shoppers Drug Mart</option> <option value="Target">Target</option> </select> </div> <div class="full-row"><div class="field-label">Store Description: </div><div class="field-input"><input class="item-desc" name="store_description" /></div></div> <input class="add-button" value="Add row" type="submit" /> </form> </div> <div class="tab-pane" id="update"> <h3>View and Update Items:</h3> <!-- <form action="#update"> --> <form class="update-data-form" id="update-data-form" action="#update" method="POST"> <input type="hidden" name="action" value="update" /> <div class="full-row-heading"> <table> <tr> <th><span class="spacer-store-name">Store</span></th> <th><span class="spacer-item-desc">Desc.</span></th> </tr> </table> </div> <table> <?php $result = $mysqli->query("SELECT * FROM shoplist ORDER BY store_name ASC"); while($row = $result->fetch_assoc()){ print '<tr>'; print '<td><span class="filler-checkbox"><input type="checkbox" name="checkboxes[]" value="' . $row["idnumber"] . '" /></span></td>'; if ($row["purchased"] == "Y") { print '<td><span class="highlight-purchased">' . $row["store_name"] . '</span></td>'; print '<td><span class="highlight-purchased">' . $row["store_description"] . '</span></td>'; } else if (($row["later_in_week"] == "Y") && ($row["purchased"] != "Y")) { print '<td><span class="highlight-later">' . $row["store_name"] . '</span></td>'; print '<td><span class="highlight-later">' . $row["store_description"] . '</span></td>'; } else { print '<td>' . $row["store_name"] . '</td>'; print '<td>' . $row["store_description"] . '</td>'; } print '</tr>'; } ?> </table> <div class="full-row-buttons"> <input class="update-button-purchased" name="highlight-purchased" value="Highlight selected item(s) as *Purchased*" type="submit"/> <input class="update-button-later" name="highlight-later" value="Highlight selected item(s) as *Later in Week*" type="submit"/> </div> <div class="full-row-buttons"> <input class="update-button-remove-purchased" name="highlight-remove-purchased" value="Unhighlight selected *Purchased* item(s)" type="submit"/> <input class="update-button-remove-later" name="highlight-remove-later" value="Unhighlight selected *Later in Week* item(s)" type="submit"/> </div> </form> </div> <div class="tab-pane" id="delete"> <h3>View and Delete Items:</h3> <!-- <form action="#delete"> --> <form class="delete-data-form" id="delete-data-form" action="#delete" method="POST"> <input type="hidden" name="action" value="delete" /> <div class="full-row-heading"> <table> <tr> <th><span class="spacer-store-name">Store</span></th> <th><span class="spacer-item-desc">Desc</span></th> </tr> </table> </div> <table> <?php $result = $mysqli->query("SELECT * FROM shoplist ORDER BY store_name ASC"); while($row = $result->fetch_assoc()){ print '<tr>'; print '<td><span class="filler-checkbox"><input type="checkbox" name="checkboxes[]" value="' . $row["idnumber"] . '" /></span></td>'; if ($row["purchased"] == "Y") { print '<td><span class="highlight-purchased">' . $row["store_name"] . '</span></td>'; print '<td><span class="highlight-purchased">' . $row["store_description"] . '</span></td>'; } else if (($row["later_in_week"] == "Y") && ($row["purchased"] != "Y")) { print '<td><span class="highlight-later">' . $row["store_name"] . '</span></td>'; print '<td><span class="highlight-later">' . $row["store_description"] . '</span></td>'; } else { print '<td>' . $row["store_name"] . '</td>'; print '<td>' . $row["store_description"] . '</td>'; } print '</tr>'; } ?> </table> <input class="delete-button-selected" name="delete-selected" value="Delete selected row(s)" type="submit"/> <input class="delete-button-all" name="delete-all" value="Delete ALL row(s)" type="submit"/> </form> </div> <div class="tab-pane" id="search"> <h3>Search and View Items:</h3> <form class="search-data-form" id="search-data-form" action="#search" method="POST"> <div class="search-container"> <div class="full-row"> <div class="field-label"> Choose search field: </div> <div class="field-input"> <select name="searchtype"> <option value="store_name">Store Name</option> <option value="item_description">Store Description</option> </select> </div> <br /> </div> <div class="full-row"> <div class="field-label"> Enter search term: </div> <div class="field-input"> <input name="searchterm" type="text" size="40"/> </div> <br /> </div> </div> <input class="search-button" type="submit" name="submit" value="Search"/> <div class="full-row-heading"> <table> <tr> <th><span class="spacer-store-name">Store</span></th> <th><span class="spacer-store-desc">Desc.</span></th> </tr> </table> </div> <table> <?php // create short variable names $searchtype=$_POST['searchtype']; $searchterm=trim($_POST['searchterm']); if (!get_magic_quotes_gpc()) { $searchtype = addslashes($searchtype); $searchterm = addslashes($searchterm); } $query = "select * from shoplist where " . $searchtype . " like '%" . $searchterm . "%' ORDER BY " . $searchtype . " ASC"; $result = $mysqli->query($query); $num_results = $result->num_rows; for ($i=0; $i < $num_results; $i++) { $row = $result->fetch_assoc(); print "<tr>"; if ($row["purchased"] == "Y") { print '<td><span class="highlight-purchased">' . ' ' . $row["store_name"] . '</span></td>'; print '<td><span class="highlight-purchased">' . $row["store_description"] . '</span></td>'; } else if (($row["later_in_week"] == "Y") && ($row["purchased"] != "Y")) { print '<td><span class="highlight-later">' . ' ' . $row["store_name"] . '</span></td>'; print '<td><span class="highlight-later">' . $row["store_description"] . '</span></td>'; } else { print '<td>' . ' ' . $row["store_name"] . '</td>'; print '<td>' . $row["store_description"] . '</td>'; } print "</tr>"; } $result->free(); $mysqli->close(); ?> </table> </form> </div> </div> </div> </div> </div> <!-- </div> --> </body> </html> Quote Link to comment https://forums.phpfreaks.com/topic/288373-how-do-i-use-mysqli_real_escape_string-in-my-insert-into-code/ Share on other sites More sharing options...
ginerjm Posted May 9, 2014 Share Posted May 9, 2014 If all you are asking is about how to sanitize your input for a query, why did you post so much code? Really - we don't need to see your js code, not your html for that matter. Just your php and your current attempt would be so much easier to read Quote Link to comment https://forums.phpfreaks.com/topic/288373-how-do-i-use-mysqli_real_escape_string-in-my-insert-into-code/#findComment-1478899 Share on other sites More sharing options...
excelmaster Posted May 9, 2014 Author Share Posted May 9, 2014 Ok, will do next time...my apologies. I have posted another separate post as well with the same mistake. Please bear with me for these two posts. Thanks. Quote Link to comment https://forums.phpfreaks.com/topic/288373-how-do-i-use-mysqli_real_escape_string-in-my-insert-into-code/#findComment-1478901 Share on other sites More sharing options...
Jacques1 Posted May 9, 2014 Share Posted May 9, 2014 Hi, manual escaping is extremely error-prone and should be avoided like the plague. It's simply too easy to forget it, break it by fucking up the encoding, break it by forgetting the quotes etc. Use prepared statements. This is really the only actual solution for the problem of SQL injections. Quote Link to comment https://forums.phpfreaks.com/topic/288373-how-do-i-use-mysqli_real_escape_string-in-my-insert-into-code/#findComment-1478911 Share on other sites More sharing options...
ginerjm Posted May 9, 2014 Share Posted May 9, 2014 So - no new code yet? Quote Link to comment https://forums.phpfreaks.com/topic/288373-how-do-i-use-mysqli_real_escape_string-in-my-insert-into-code/#findComment-1478912 Share on other sites More sharing options...
excelmaster Posted May 9, 2014 Author Share Posted May 9, 2014 Ooops! Didn't realize I had to post new code...but anyways, here it is: Thanks. if(isset($_REQUEST["action"])){ switch($_REQUEST["action"]){ case "insert": $SQL="INSERT INTO stores (store_name, store_description) VALUES ("; $SQL=$SQL."'" . $_REQUEST["store_name"] . "',"; $SQL=$SQL."'" . $_REQUEST["item_description"] . "',"; $SQL=$SQL.");"; if ($mysqli->query($SQL)=== FALSE) { printf("Error – Unable to insert data to table " . $mysqli->error); } break; ... ... Quote Link to comment https://forums.phpfreaks.com/topic/288373-how-do-i-use-mysqli_real_escape_string-in-my-insert-into-code/#findComment-1478913 Share on other sites More sharing options...
ginerjm Posted May 9, 2014 Share Posted May 9, 2014 (edited) Simply wrap each variable in a call to the MySQL_real_escape_string call. Of course as mentioned above you should switch to pdo and use prepared statements since MySQL_* is deprecated and soon to disappear. PS - I've read that is bad practice to use $_REQUEST. You should already know how your user is getting here, so use the proper array instead of whatever a potential hacker could have sent you. Edited May 9, 2014 by ginerjm Quote Link to comment https://forums.phpfreaks.com/topic/288373-how-do-i-use-mysqli_real_escape_string-in-my-insert-into-code/#findComment-1478914 Share on other sites More sharing options...
Jacques1 Posted May 9, 2014 Share Posted May 9, 2014 You do not need to switch to PDO. MySQLi supports prepared statements just as well. You just need to learn how to actually use MySQLi. Quote Link to comment https://forums.phpfreaks.com/topic/288373-how-do-i-use-mysqli_real_escape_string-in-my-insert-into-code/#findComment-1478918 Share on other sites More sharing options...
excelmaster Posted May 9, 2014 Author Share Posted May 9, 2014 Okay then...so I guess I'm gonna have to spend the time to understand/learn how to use "prepared statements" and then update my code accordingly. Thanks for the suggestions to avoid use of $_REQUEST and MySQL_real_escape_string calls....and thanks also for the links on how to use MySQLi and "prepared statements". Quote Link to comment https://forums.phpfreaks.com/topic/288373-how-do-i-use-mysqli_real_escape_string-in-my-insert-into-code/#findComment-1478922 Share on other sites More sharing options...
ginerjm Posted May 9, 2014 Share Posted May 9, 2014 The php manual is very good on teaching pdo and prepared strings Quote Link to comment https://forums.phpfreaks.com/topic/288373-how-do-i-use-mysqli_real_escape_string-in-my-insert-into-code/#findComment-1478932 Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.