How to save the full HTML of a form to Mysql?

Asked

Viewed 607 times

-1

I’m trying to record the full HTML of a form. Since I have a system in which each user can have his or her individual form of payment, which requires that each one record the code of the buy button for example, Pagseguro.

What generates this error when I try to write to MYSQL via an administrative form I developed to save these payment codes:

You have an error in your SQL syntax; check the manual that corresponds  
to your MySQL server version for the right syntax to use near 'post' 
action='https://www.meu.url/PagamentoSimples.do'>

I have tried to use several codes such as:

$clientepagseguro = strip_tags($_POST['clientepagseguro']);

Nothing worked out.

THE HTML:

<form method='post' action='https://www.meu.url/PagamentoSimples.do'>
    <input type='hidden' name='id_carteira' value='[email protected]'/>
    <input type='hidden' name='valor' value='4000'/>
    <input type='hidden' name='nome' value='Site Lucrativo'/>
    <input type='image' name='submit' src='https://static.moip.com.br/imgs/buttons/bt_pagar_c01_e04.png' alt='Pagar' border='0' />
</form>

What do I do to solve?

php mysql

1 answer

0

The problem

You have to escape the data coming from the form, this on any data going to the bank. If you are not doing this in addition to the problem presented, probably your system is vulnerable to SQL Injection attacks.

What happens is that in the data sent by the user, if it is an HTML code, it will probably have simple quotes and these simple quotes, when not escaped, end up damaging the query.

INSERT INTO `pagamento` (`btn_html`) VALUES ('Código HTML');

When you add an HTML code, it would be a problem, see below (this has simple quotes):

INSERT INTO `pagamento` (`btn_html`) VALUES ('<a href='#'>Meu botão</a>');

See in the example above that we have a conflict. The quotation marks for the link end up bugging the query and Mysql will understand that 2 different values are being passed: the value <a href= and the value >Meu botão</a>.

This alone would give problem because you only specified a column, besides, has the character # "loose" that would also give problem.

Solutions

This will depend on how you are connecting to the bank, whether you are using Mysqli, or PDO.

In the case of Mysqli, you can solve so

$string = "Caixa d'água";
$stringPronta = mysql_real_escape_string($string, $conexao);

//$stringPronta irá ficar assim: Caixa d\'água

Note that the quote character was escaped with a backslash, in the same way we do to escape values in PHP. Remember that the $connected variable refers to your previously created connection link.

Although this solves the problem, some people say that this method is not 100% safe against SQL Injections, so it is worth a search or choose to use PDO.

To solve the problem with PDO, do

$inserirBtn = $conexao->prepare("INSERT INTO `pagamento` (`btn_html`) VALUES (:btn_html)");
$inserirBtn->bindValue(':btn_html', $string);
$inserirBtn->execute();

Note that in the case of PDO, it is much simpler because it escapes the data "natively" before running the query on the database server.

Browser other questions tagged php mysql

You are not signed in. Login or sign up in order to post.