PHP protcetion help


#1

I need help to protect my code from mysqli injection and

sdfsdfasd

special characters.
Ihave
$wiadomosc=filter_var($_POST[‘wiadomosc’], FILTER_SANITIZE_STRING); and every special character will be removed, but now my question is is this code protect me from mysqli injection such as a “DROP TABLE” ? I don’t want anyone to destroy everyhing. Can you tell me how to protect simple mail form and form where data is added to DB?
Thank you guys.

p.s I hvae no registration info or login form


#2

Use PDO or Mysqli and prepared/parameterized queries to protect against sql injection hacks. Do not sanitize/escape (aka mangle) data

For email just use a service like mailgun and youre ok


#3

ok you gave me a hint so I will check online how to do this. I need to do this ASAP . One more question , why when I do the form validation after pressing button “submit” still sending even if the input is empty.


#4

How do you do the form validation?

Do you mean that the page with the form submits/reloads or that the email sends? need your code either way


#5

$name=$_POST['name];

if($name=" "){
echo “error message”;
}


#6

You need to add the full code for what you’re doing and explain how it isn’t working as exptected.


#7

[php]<?php
$server= “localhost”;
$database= “”;
$username= “”;
$password= “”;

$connection=mysqli_connect($server, $username, $password, $database);
if(!$connection){
echo " connection failed". mysqli_connect_error();
} else{
if(isset($_POST[‘submit’])){
$firma=filter_var($_POST[‘firma’], FILTER_SANITIZE_STRING);
$polecam=filter_var($_POST[‘polecam’], FILTER_SANITIZE_STRING);
$place=filter_var($_POST[‘place’], FILTER_SANITIZE_STRING);
if($name=" "){
echo “error message”;
}
$date = date(‘Y-m-d H:i:s’);
$sql=“INSERT INTO niepol (firma, niepolecam, place, data) VALUES (’$firma’, ‘$polecam’, ‘$place’, ‘$date’)”;

    if($final=mysqli_query($connection, $sql)){     
        echo "<h2>Dziekujemy</h2>";
        echo"<p>Twoja ogłoszenie zostało dodane i będzie widoczne automatycznie</p>";
    } else{
        echo "Ogłoszenie nie zostało dodane. Prosimy o kontakt z administratorem";
    }
}

}
?>[/php]


#8

Please fix the formatting and use php tags when pasting code

[php]?php
$server = “localhost”;
$database = “”;
$username = “”;
$password = “”;
$connection = mysqli_connect($server, $username, $password, $database);
if (!$connection) {
echo " connection failed" . mysqli_connect_error();
} else {
if (isset($_POST[‘submit’])) {
$firma = filter_var($_POST[‘firma’], FILTER_SANITIZE_STRING);
$polecam = filter_var($_POST[‘polecam’], FILTER_SANITIZE_STRING);
$place = filter_var($_POST[‘place’], FILTER_SANITIZE_STRING);
if ($name = " ") {
echo “error message”;
}
$date = date(‘Y-m-d H:i:s’);
$sql = “INSERT INTO niepol (firma, niepolecam, place, data) VALUES (’$firma’, ‘$polecam’, ‘$place’, ‘$date’)”;
if ($final = mysqli_query($connection, $sql)) {
echo “

Dziekujemy

”;
echo “

Twoja ogłoszenie zostało dodane i będzie widoczne automatycznie

”;
} else {
echo “Ogłoszenie nie zostało dodane. Prosimy o kontakt z administratorem”;
}
}
}
?>[/php]

#9

I hope it will work. I know I’m messy person. In spare time I will clean my code. Thank you for your help.


#10

ok tell me why $S_SESSION is not working? <?php start_session() ?> on both pages.
if ($name = " ") {

$_SESSION[‘error’]=“ssome message”;

     }

and I wan to display this message where the form is so
If(isiset($_SESSION[‘error’])){
echo $_SESSION[‘error’];
}
unset_session($_SESSION[‘error’];


#11

I just formatted the code and added it to the thread so people could actually read it. I didn’t change it in any way

If you use a proper editor/IDE then it will contain automatic tools to reformat your code so it’s structured properly.