Getting error when passing variables

If I may jump into the thread…

The htmlentities() function will change the typed inputs into HTML entities. Therefore, things like slashes,
spaces, etc will be altered into the &#039, &amp formats. Not sure if this is needed.

The mysqli_real_escape_string() funciton will add escape characters where needed to the string. Therefore,
characters encoded are NUL (ASCII 0), \n, \r, , ', ", and Control-Z. Not sure if this is needed either.

This really is not what you want. Read JimL’s last post as it explains further. Just set up your placeholders.

Let’s see if I can explain the other side of what you want.

Prepared Statements protect your database from injection attacks. As Jim elegantly points out. htmlentities protects the page itself.

Take this code as an example:
[php]$issue = “”;

// Using htmlentities gives protection against those attacks.
// This will treat the attempted code injection as html text and render it harmless.
echo htmlentities( $issue );

// This will redirect you.
// This is bad, as it can be used in other ways as well.
echo $issue;
[/php]

ok, so why is my code incorrect then?

if I’ve used htmlentities to strip the input form values of anything nasty, and I’ve used prepared statement to put that data into the database, why is what I’ve done wrong?

Carl.

I’m not saying what you are doing is wrong. htmlentities is for displaying the information, not storing or prepping it to be stored. Prepared statements are for the storage portion.

ok so could you possibly fill me in on how to make a prepared statement for the form data?

[php]$clientid = htmlentities($_POST[‘clientid’]);
mysqli_real_escape_string($dbconn, $clientid);
$fname = htmlentities($_POST[‘fname’]);
mysqli_real_escape_string($dbconn, $fname);
$sname = htmlentities($_POST[‘sname’]);
mysqli_real_escape_string($dbconn, $sname);
$company = htmlentities($_POST[‘company’]);
mysqli_real_escape_string($dbconn, $company);[/php]

etc?

or is it the actual prepare statement in my code which needs changing?

As several of us explained, htmlentities does NOT strip out code. It changes items such as an ampersand
( & ) into a HTML version. ( &amp ) … This is so that browsers can display the values. Nothing to do with
security.

Mysqli_real_escape_string adds in a slash ( \ ) in front of items that might make the string act weird in many
ways on pages or inside of databases. This will quite often defeat the casual hacker, but, there are ways
around it by good hackers using SQL-Injection. This has been predicated and not a standard now. The way
it is now done is with prepared statements. The question mark ( ? ) in a prepared statement tells the code
on the server and the SQL software that input is coming and should not be executed. It is data and is only
used as data. That is the secure way to handle it these days.

Astonecipher showed you how easy it is to make you be redirected to another site by use of a typed in
value. He showed it by entering text into a variable named $issue. This could be your site and the form’s
first name field.

Prepared statements are very simple. You basically just replace the data in the QUERY with ?'s and then
fill in that data when you call it. The MySQL database system takes care of the rest… Here is a link to a
site that explains it. You can press the “Next Chapter” button to look at other parts of how to set up DB
communications… This sampler shows both MySQLi and PDO. Hope it helps…
http://www.w3schools.com/php/php_mysql_prepared_statements.asp

I suggest your read the php.net manual on these and try to understand that it is not protecting your DB in
the way your think it is. Or, just test it… Create a small page that takes your inputs and displays them
back to you so you can see what we are talking about… Something like:

$temp = $_POST[‘fname’];
echo $temp . “
” . htmlentities($temp) . “
” . mysqli_real_escape_string($temp);

Then, type in various things that you are thinking is not safe into the first name field and see what you
get back from it. It does not strip out code and does not make the field safe from code infection. These
DO help in formatting the string so it can be used in a QUERY, but, it does not really protect you. That is
the big difference.

Thanks Ernie,

I really am very grateful for all of the help you guys are giving. I think I’m getting my head around the prepare statements themselves, but I’m just unsure about when the statements should actually be prepared?

I understand that this is pretty insecure

$clientid = ($_POST[‘clientid’]);

and something needs to happen to make it secure, and this is the bit I’m unsure of. Does the “make it secure” happen at this stage:

$clientid = ($_POST[‘clientid’]);

or at the INSERT stage?

Carl.

Well, first, you don’t need the ()… Just $clientid = $_POST[‘clientid’];

Next, remember, PHP and MySQL is SERVER-SIDE. So, it is handled on the server not the browser.
The $_POST[] array is used in the browser AND the server. it is passed back and forth. Well, actually, just
passed from the browser to the server.

But, that is where the security issue comes in. ANY data that passed back to a PHP script could be infected
by a hacker. Astonecipher showed you one way to do a redirection to Google. BUT, hackers are more likely
to drop a table or place fake into into the database instead. The way around it is to not allow any data that
is entered into the server to be used as “executable” code. Using prepared statements do this for you. It
just does not allow the “data” to be used for execution.

So, to handle that, you just alter your query a little. Instead of saying INSERT INTO tablename, something…
You INSERT INTO tablename ?,?,? instead. The server and the MySQL database code take care of the rest.
It’s very very easy. You just have to alter your queries to use prepared statements instead. They are easy.
I posted a simple tutorial on how they are done. Simple. Look at the sample at W3Schools I posted and it
will show you how to do it. Just takes one extra line of code. And a slight change in your query.

Try it and once you come up with code post it here and we can help if you can’t get it to work correctly…
good luck…

Sponsor our Newsletter | Privacy Policy | Terms of Service