How to protect this form from SQL injections [duplicate]
Possible Duplicate:
Editing MySQL recode using a HTML form
Like to know how to validate the inputs of this submit form. by validate i meant keep it safe from SQL injections. Any help will be really appreciated. thank you.
<?php
session_start();
if(!session_is_regist开发者_开发知识库ered(ausername)){
header("location:main_login.php");
}
include ("header.php");
include ("../db.php");
$catname = $_POST['catname'];
$catdisc = $_POST['catdisc'];
$id = $_GET['id'];
if (isset($id))
{
$query = "SELECT * FROM categories WHERE catid='$id'";
$result= mysql_query($query) or die ('Mysql Error');
}
//Get category name and discription
while($row = mysql_fetch_array($result)){
$cname = $row['catname'];
$cdisc = $row['catdisc'];
}
?>
<?php
$result= mysql_query ("UPDATE categories SET catname='$catname', catdisc='$catdisc' WHERE catid='$id'")
or die ('Error Updating');
?>
<h1>Edit Categories</h1>
<form method="post" action="../admin/edit_cat.php?id=<?php echo $id;?>">
Category Name: <input type="text" name="catname" value="<?php echo $cname;?>"><br/>
Category Discription: <TEXTAREA NAME="catdisc"ROWS="3" COLS="25"><?php echo $cdisc;?></TEXTAREA><br/><br/>
<input type="submit" value="Update Category"/>
</form>
<?php
include ("footer.php");
?>
strings (have to be in single/double quotes in query!) -> mysql_real_escape_string();
integers (could be without quotes) -> intval();
$catname = mysql_real_escape_string($_POST['catname']);
$catdisc = mysql_real_escape_string($_POST['catdisc']);
$id = intval($_GET['id']);
$result= mysql_query ("UPDATE categories SET catname='$catname', catdisc='$catdisc' WHERE catid=$id")
Add mysql_real_escape_string calls for all your query variables, see http://php.net/manual/en/function.mysql-real-escape-string.php
See 'Avoidance Techniques' from the PHP SQL Injection docs.
Use a database library the uses placeholders. Better API, and it takes care of SQL injection for free.
For example, see prepare and execute in MDB2
Use prepared statements whenever handling values that users can change: http://us2.php.net/manual/en/pdo.prepare.php
They make SQL injection impossible.
精彩评论