4

Also malicious inserts

I've seen this question asked but none of the responses worked for me (or rather I was too stupid to make them work). I think I need personalized help. Every time I refresh my php page it inserts blank data. How do I prevent blank and/or malicious data from being inserted.

This is my code:

 <?php $con = mysql_connect("localhost","user","pass") or die ("Couldn't connect!"); if (!$con) { die('Could not connect: ' . mysql_error()); } mysql_select_db("streams") or die ("Couldn't find db"); $sql="INSERT INTO streams (streamname) VALUES ('$_POST[streamname]')"; if (!mysql_query($sql,$con)) { die('Error: ' . mysql_error()); } echo "1 record added"; mysql_close($con) ?> <form action="submit.php" method="POST"> Stream Name: <input type="text" name="streamname" id="streamname" /><br /> <input type="submit" name="submit" value="Stream" /> </form>
Improve this question
3
  • you didnt't validate $_POST[streamname]. By "blank data" you mean '' or NULL ? Commented Jan 10, 2012 at 0:46
  • 1
    You have a SQL injection vulnerability. Commented Jan 10, 2012 at 0:48
  • @SLaks How do I protect from that? Commented Jan 10, 2012 at 0:57

3 Answers 3

Reset to default
5

Wrap it with some defensive logic: 

if(!empty($_POST['streamname'])) { // Your code here }
Improve this answer
Sign up to request clarification or add additional context in comments.

2 Comments

also, if someone enters an empty value, you should give them a warning message stating that it is a required field so they understand why the form will not submit.
That wraps the entirety of the php from the mysql open to close?
2

Try checking if POST params are set :

 <?php if($_POST) { $con = mysql_connect("localhost","user","pass") or die ("Couldn't connect!"); if (!$con) { die('Could not connect: ' . mysql_error()); } mysql_select_db("streams") or die ("Couldn't find db"); $sql="INSERT INTO streams (streamname) VALUES ('$_POST[streamname]')"; if (!mysql_query($sql,$con)) { die('Error: ' . mysql_error()); } echo "1 record added"; mysql_close($con); } ?> <form action="submit.php" method="POST"> Stream Name: <input type="text" name="streamname" id="streamname" /><br /> <input type="submit" name="submit" value="Stream" /> </form>
Improve this answer

1 Comment

just because the post params are set, doesn't mean they won't be blank.
0

You should be escaping the input.

$sql='INSERT INTO streams (streamname) VALUES ("'.mysql_real_escape_string($_POST[streamname]).'")';
Improve this answer

7 Comments

while important, this is a comment rather than an answer to the question.
I think it's probably a fix since the array reference is used properly in the insert in this statement.
@amccausl What does an escape string do?
It will remove the potential for a sql injection attach
@amccausl I edited my code with what you gave me. But it seems to have messed up some of my other code. Now when I make a call to the database instead of saying something like: hi my name is "data". it says hi my name is "mysql escape (data)".
|

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.