Please start any new threads on our new site at https://forums.sqlteam.com. We've got lots of great SQL Server experts to answer whatever question you can come up with.

 All Forums
 General SQL Server Forums
 New to SQL Server Programming
 Am i safe against sql injection?

Author  Topic 

Nocturnes
Starting Member

1 Post
Posted - 2014-12-15 : 11:52:11
Been doing Mysqli & PHP for 2 weeks now and I like it!

However....you start to try things and after a while, even if it works...you start to read about things like sql injection etc...

My goal is to create a databases for small shops etc...with login etc...

It doesn't mather how big the client is...it has to be safe!

So my question: Am i doing it good?

This is the HTML



<!DOCTYPE html>
<html lang="en">
  <head>
    <meta charset="utf-8">
    <title>title</title>
    <link rel="stylesheet" href="style.css">
    <script src="script.js"></script>
  </head>
  <body>
  	<form action="homes.php" method="POST">
  		<p>Zoek: <input type="text" name="search" /></p>
  		<p>Voornaam: <input type="text" name="Voornaam" /></p>
  		<p>Achternaam: <input type="text" name="Achternaam" /></p>
  		<p>Adres: <input type="text" name="Adres" /></p>
  		<p>Discipline: <input type="text" name="Discipline" value="1 tot 5" /></p>
  		<p>Bevestig zoeken: <input type="submit" name="Submit" /></p>
  		<p>Voeg toe aan databank <input type="submit" name="Add_DB" value="Add to Database" /></p>
  	</form>
  <?php
	require_once 'isset.php';
	?>
  </body>
</html>



This is the PHP

<?php
	require_once 'login.php';
	$dbcon =  mysqli_connect($db_host, $db_username, $db_password, $db_database);
	if(mysqli_connect_errno()) die ("Error during connection");

	if(isset($_POST['Submit'])){
		

		$Naam = $_POST['search'];

		$Result = mysqli_query($dbcon,"SELECT * FROM customers WHERE Voornaam = '$Naam'");
		if(!$Result) die ("Nothing to show");

		$Rows = $Result->num_rows;

		for($i=0; $i < $Rows; $i++){
			$Row = mysqli_fetch_array($Result, MYSQLI_ASSOC);
			echo "Voornaam: " . $Row['Voornaam'] . "<br>";
			echo "Achternaam: " . $Row['Achternaam'] . "<br>";
			echo "Adres: " . $Row['Adres'] . "<br>";
			echo "<hr>";
			
		}
	}

		if(isset($_POST['Add_DB'])){
			$sql="INSERT INTO customers(Voornaam, Achternaam, Adres, Actief, Discipline)
				VALUES(?,?,?,NOW(),?)";

			if($stmt = $dbcon->prepare($sql)){

					$stmt->bind_param('sssi', $Voornaam, $Achternaam, $Adres, $Discipline);
					
					$Voornaam = $_POST['Voornaam'];
					$Achternaam = $_POST['Voornaam'];
					$Adres = $_POST['Adres'];
					$Discipline = $_POST['Discipline'];
					$stmt->execute();
					

					echo "New records created successfully";
}
		}

		mysqli_close($dbcon);
?>



Its spaghetti code most likely but i try to keep things organized...

Its just that i'm learning this now and i'm like, hey would this work...i try it and it does....but i don't like bad practice!

bitsmed
Aged Yak Warrior

545 Posts
Posted - 2014-12-15 : 12:49:51
Hi Nocturnes.

First of all, welcome to the wonderfull world of sql :-)

This forum is based on Microsoft's SQL Server, so the answers you get here, will probably not work with your db engine (MySQL).

You are probably better of, finding the MySQL (or even PHP) forums and ask the experts there.
Go to Top of Page
   

Subscribe to SQLTeam.com

SQLTeam.com Articles via RSS

SQLTeam.com Weblog via RSS

- Advertisement -

Resources

Articles

Forums

Blogs

Contact Us

About the Site