Preventing SQL Injections [duplicate]

This question already has answers here: Closed 11 years ago.

Possible Duplicates:

Best way to stop SQL Injection in PHP

In PHP when submitting strings to the database should I take care of illegal characters using htmlspecialchars() or use a regular expression?

Yesterday I asked a question with regards to a script not working, whilst I in the end solved the issue myself. There was talk of SQL Injections risks.

So what I'm asking today is, with the code I have inserted below, how would one prevent SQL Injections?

So any advice of guidence. I know I can read the internet about SQL injections but there is so many conflicting articles on it, I don't know which is correct or not.

Here is the code, this is all put in a page of it's own lets say 'form-process.php' which the form then submits the data to e.g

<?
session_start(); 

$_SESSION['Title'] = stripslashes($_REQUEST['Title']); 
$_SESSION['ShortTitle'] = stripslashes($_REQUEST['Title']); 
$_SESSION['Category'] = stripslashes($_REQUEST['Category']); 
$_SESSION['Story'] = stripslashes($_REQUEST['Story']);
$_SESSION['FrontPage'] = stripslashes($_REQUEST['FrontPage']);
$_SESSION['imagefilename'] = ($_FILES['image']['name']); 

if (empty($_REQUEST['Title'])) { 
header("Location: ". $_SERVER['HTTP_REFERER'] ."?message=0"); 
exit; 
} elseif (empty($_REQUEST['ShortTitle'])) { 
header("Location: ". $_SERVER['HTTP_REFERER'] ."?message=1"); 
exit; 
} elseif (strlen($_REQUEST['Category']) < 1) {
header("Location: ". $_SERVER['HTTP_REFERER'] ."?message=2"); 
exit;
} elseif (empty($_REQUEST['Story'])) { 
header("Location: ". $_SERVER['HTTP_REFERER'] ."?message=3"); 
exit;  
} else { 

include("settings.php"); 
include("dbconnect.php"); 

if($_POST['btnSubmit'] == 'Publish'){
    $target = "../../../images/matchreports/uploaded/";
    $target = $target . time() . '-' . basename( $_FILES['image']['name']);
    if(move_uploaded_file($_FILES['image']['tmp_name'], $target)){
    $image=time() . '-' . basename( $_FILES['image']['name']);      
    $newdate = $_POST['date_y'].''.$_POST['date_m'].''.$_POST['date_d'];
$SQL = "INSERT INTO " . $match_reports_table . " (Title,ShortTitle,Story,FrontPage,active,image,date,user_ip) VALUES('" . addslashes($_REQUEST['Title']) . "','" . addslashes($_REQUEST['ShortTitle']) . "','" . addslashes($_REQUEST['Story']) . "','" . addslashes($_REQUEST['FrontPage']) . "','" . addslashes(y) . "','$image','$newdate','" . addslashes($_SERVER['REMOTE_ADDR']) . "')";
    $result = @mysql_query($SQL) or die("Error Publishing 1");

    header("Location: /cms/matchreports/index.php?message=4");  
    exit;

} else {

$newdate = $_POST['date_y'].''.$_POST['date_m'].''.$_POST['date_d'];    
$SQL = "INSERT INTO " . $match_reports_table . " (Title,ShortTitle,Story,FrontPage,active,date,user_ip) VALUES('" . addslashes($_REQUEST['Title']) . "','" . addslashes($_REQUEST['ShortTitle']) . "','" . addslashes($_REQUEST['Story']) . "','" . addslashes($_REQUEST['FrontPage']) . "','" . addslashes(n) . "','$newdate','" . addslashes($_SERVER['REMOTE_ADDR']) . "')";
    $result = @mysql_query($SQL) or die("Error Publishing 2");

    header("Location: /cms/matchreports/index.php?message=5");  
    exit;}}

if($_POST['btnSubmit'] == 'Save draft'){
    $target = "../../../images/matchreports/uploaded/";
    $target = $target . time() . '-' . basename( $_FILES['image']['name']);
    if(move_uploaded_file($_FILES['image']['tmp_name'], $target)){
    $image=time() . '-' . basename( $_FILES['image']['name']);      
    $newdate = $_POST['date_y'].''.$_POST['date_m'].''.$_POST['date_d'];
$SQL = "INSERT INTO " . $match_reports_table . " (Title,ShortTitle,Story,FrontPage,active,image,date,user_ip) VALUES('" . addslashes($_REQUEST['Title']) . "','" . addslashes($_REQUEST['ShortTitle']) . "','" . addslashes($_REQUEST['Story']) . "','" . addslashes($_REQUEST['FrontPage']) . "','" . addslashes(n) . "','$image','$newdate','" . addslashes($_SERVER['REMOTE_ADDR']) . "')";
    $result = @mysql_query($SQL) or die("Error Saving Draft 1");

    header("Location: /cms/matchreports/index.php?message=6");  
    exit;

} else {

$newdate = $_POST['date_y'].''.$_POST['date_m'].''.$_POST['date_d'];    
$SQL = "INSERT INTO " . $match_reports_table . " (Title,ShortTitle,Story,FrontPage,active,date,user_ip) VALUES('" . addslashes($_REQUEST['Title']) . "','" . addslashes($_REQUEST['ShortTitle']) . "','" . addslashes($_REQUEST['Story']) . "','" . addslashes($_REQUEST['FrontPage']) . "','" . addslashes(n) . "','$newdate','" . addslashes($_SERVER['REMOTE_ADDR']) . "')";
    $result = @mysql_query($SQL) or die("Error Saving Draft 2");

    header("Location: /cms/matchreports/index.php?message=7");  
    exit;}}

if($_POST['btnSubmit'] == 'Publish changes'){
//This gets all the other information from the form
$newdate = $_POST['date_y'].''.$_POST['date_m'].''.$_POST['date_d'];
$SQL = "UPDATE " . $match_reports_table . " SET Title='" . addslashes($_REQUEST['Title']) . "',ShortTitle='" . addslashes($_REQUEST['ShortTitle']) . "',Story='" . addslashes($_REQUEST['Story']) . "',Category='" . addslashes($_REQUEST['Category']) . "',FrontPage='" . addslashes($_REQUEST['FrontPage']) . "',active = '" . y . "',date='$newdate' WHERE ID=" . $_REQUEST['ID'] . "";
$result = @mysql_query($SQL) or die("Error Updating News"); 

header("Location: /cms/matchreports/index.php?message=8");
exit;}

if($_POST['btnSubmit'] == 'Publish draft to website'){
//This gets all the other information from the form
$newdate = $_POST['date_y'].''.$_POST['date_m'].''.$_POST['date_d'];
$SQL = "UPDATE " . $match_reports_table . " SET Title='" . addslashes($_REQUEST['Title']) . "',ShortTitle='" . addslashes($_REQUEST['ShortTitle']) . "',Story='" . addslashes($_REQUEST['Story']) . "',Category='" . addslashes($_REQUEST['Category']) . "',FrontPage='" . addslashes($_REQUEST['FrontPage']) . "',active = '" . y . "',date='$newdate' WHERE ID=" . $_REQUEST['ID'] . "";
$result = @mysql_query($SQL) or die("Error Updating News"); 

header("Location: /cms/matchreports/index.ph开发者_如何学Cp?message=9");
exit;}

if($_POST['btnSubmit'] == 'Save changes to draft'){
//This gets all the other information from the form
$newdate = $_POST['date_y'].''.$_POST['date_m'].''.$_POST['date_d'];
$SQL = "UPDATE " . $match_reports_table . " SET Title='" . addslashes($_REQUEST            ['Title']) . "',ShortTitle='" . addslashes($_REQUEST['ShortTitle']) . "',Story='" . addslashes($_REQUEST['Story']) . "',Category='" . addslashes($_REQUEST['Category']) . "',FrontPage='" . addslashes($_REQUEST['FrontPage']) . "',active = '" . n . "',date='$newdate' WHERE ID=" . $_REQUEST['ID'] . "";
$result = @mysql_query($SQL) or die("Error Updating News"); 

header("Location: /cms/matchreports/index.php?message=10");
exit;}

}?>

---

Use PDO and prepared statements.

---

A simple, universal rule I like to apply is this:

Always store data raw, and escape it for the appropriate application when needed.

This means, get rid of nebulous stripslashes(), and:

• for string values in SQL statements, use the database's appropriate escape function, e.g. mysqli_real_escape_string(),

• for system()-type command names, use escapeshellcmd(), for arguments use escapeshellarg(),

• for manually assembling GET request URLs, use urlencode(), and finally

• for printing content in an HTML structure, use htmlentities().

There's no point in blindly using some sort of mangling and hoping it'll filter out bad things. Be conscious of what you're doing, and do the appropriate thing at every step.

Example: To print a link with a user-provided GET parameter, you'd do

print("<a href='" . htmlentities($BASEURL . "?data=" . urlencode($untrusted)) . "'>click</a>");

Important note: For SQL queries, it is generally preferable to use prepared statements rather than building queries by hand. This is a different technology from what you're used to, so it's not the straight "how do I fix this" answer, but it is by far the better solution.

---

I strongly suggest this article generally on escaping (google-translated from czech language)