SQL Injection prevention

[shades]

Hi Guys,

 

Could someone please let me know how to change the below code so that there cannot be any SQL injections ?

 

Code:

 

<?php 

 

include("dbconnect.php");

 

if(isset($_POST['detail'], $_POST['name'])) {

 

                   $name = $_POST["name"]; 

                   $detail = $_POST["detail"]; 

    

                   for ($i=0; $i<count($detail); $i++){

 

                                                   $lenofi = count($detail[$i]);

 

                                  for ($j=0; $j<$lenofi; $j++){

 

                                                  $valofj[$i][$j] = $detail[$i][$j];

 

                                                              if ($j>1){

 

                                                                          $lenofj = count($detail[$i][$j]);

 

                                                                                for ($k=0; $k<$lenofj; $k++){

 

                                                                                                       $sql = "INSERT INTO dimensionlevel (name, text, descr, lid, lval) VALUES ('".$name."','".$valofj[$i][0]."','".$valofj[$i][1]."','".$k."','".$detail[$i][$j][$k]."')";

                

                                                                            if(!( mysqli_query( $mysqli, $sql ) )) {

                                                                                  echo mysqli_error($mysqli);

                                                                                        }

                                                                             else echo "success";

              

                                                                   }

 

                                                 }

                                    }

                     

                     }

       

    

   }     else

 

echo "Something is wrongggg !!!!";

 

?>

 

 

Thanks

[benanamen]

You could start with deleting that code and using PDO with prepared statements. That's how we do it in 2017. Here is a good tutorial to get you going. 

 

https://phpdelusions.net/pdo

Edited July 13, 2017 by benanamen

[Jacques1]

Psycho already told you in your last thread that stuffing all data into a single Excel-spreadsheet-style table is wrong, yet that's exactly what you're doing now. Do you not read the replies in your threads?

 

The data structures and code also need a major readability update. A triple-nested loop, cryptic variables and numerically indexed data have turned this simple task into a rather painful experience.

• Use foreach loops to iterate over arrays. There's no need to mess with for loops and indexes.
• Use associative arrays for complex data. Array elements like $item['name'] and $item['description'] are far more clear than constantly having to remember what $item[0] and $item[1] meant.
• Use meaningful variable names, not “lenofi” or “valofj”.

[shades]

You could start with deleting that code and using PDO with prepared statements. That's how we do it in 2017. Here is a good tutorial to get you going. 

 

https://phpdelusions.net/pdo

 

Thanks for the advice. I want to know is it bad to use mysqli ?

 

 

 

Psycho already told you in your last thread that stuffing all data into a single Excel-spreadsheet-style table is wrong, yet that's exactly what you're doing now. Do you not read the replies in your threads?

 

The data structures and code also need a major readability update. A triple-nested loop, cryptic variables and numerically indexed data have turned this simple task into a rather painful experience.

• Use foreach loops to iterate over arrays. There's no need to mess with for loops and indexes.
• Use associative arrays for complex data. Array elements like $item['name'] and $item['description'] are far more clear than constantly having to remember what $item[0] and $item[1] meant.
• Use meaningful variable names, not “lenofi” or “valofj”.

 

 

Yes I read his comment but still i felt like single table is fine in my scenario as there won't be any duplicates. Correct me if I am wrong. And thanks for the advice regarding loops and variable naming convention, I will check it out and come back to you if i succeed or have any other queries.

[Jacques1]

Thanks for the advice. I want to know is it bad to use mysqli ?

 

It wouldn't be bad if people used it correctly, but virtually nobody does that.

 

mysqli is a hardcore low-level interface which requires an extensive study of the manual and very careful programming. In all the mysqli code I've read on this forum (including yours), I haven't even seen an attempt at doing that. mysqli seems to be mostly abused as a cheap replacement for the old mysql_* functions, so its users get none of the benefits and all of the old problems (SQL injection vulnerabilities, leaking of error messages etc.).

 

PDO takes a far more realistic approach. It pretty much assumes that PHP programmers are lazy, so it provides an intuitive high-level API which doesn't require you to read the entire manual (but you still have to learn PDO, of course).

 

As a bonus, PDO works for all mainstream database systems, not just mysqli. So you avoid the vendor lock-in.

 

 

 

Yes I read his comment but still i felt like single table is fine in my scenario as there won't be any duplicates. Correct me if I am wrong.

 

You're wrong. See the other thread.