doubts about POST method

Asked

Viewed 133 times

5

I am learning php and would like to take a doubt if my code is vulnerable to sql Injection.

In case I’m putting together a form

<form method="POST" action="classes/cliente.class.php" enctype="multipart/form-data">
<input class="input" type="text" name="razaosocial" placeholder="Razão Social" onkeyup="maiuscula(this)">
<button class="button is-primary" type="submit" value="Cadastrar" name="novoCliente">CADASTRAR</button>

There in the other file I’m taking it this way

   if (array_key_exists("novoCliente", $_POST)){ 
$razaosocial       = $_POST["razaosocial"];
$sql = mysqli_query($conexao, "INSERT INTO cliente VALUES ('', '".$razaosocial."') ");
            if ($sql){
                echo "<script language='javascript' type='text/javascript'>window.location.href='../consultaCliente.php'</script>";
                }
                else{
                echo "<script language='javascript' type='text/javascript'>alert('Erro no cadastro!');window.location.href='../cadastroCliente.php'</script>";
                }
else
echo"<script language='javascript' type='text/javascript'>window.location.href='../cadastroUsuario.php'</script>";

Is that right? You’re vulnerable?

php form post

  • Always keep an eye out for user input. User inputs are dangerous as they are attack vectors. SQL is a powerful language (after all it controls your database) and you have entered user input in the middle of it without "sanitizing", is giving enough power to the user, who may be an invader. The golden rule is: "Select all user input" (Select all user input).

1 answer

3

Yes, it’s vulnerable. You can see it through these two lines:

$razaosocial = $_POST["razaosocial"];
$sql = mysqli_query($conexao, "INSERT INTO cliente VALUES ('', '".$razaosocial."') ");

Imagine if the person sends as a parameter razaosocial the value Luiz. The SQL command would be:

INSERT INTO clientes VALUES ('', 'Luiz')

Right? Now imagine if one were to value the following:

Luiz'); DROP TABLE clientes; --

To query would be complete:

INSERT INTO clientes VALUES ('', 'Luiz'); DROP TABLE clientes; -- ')

And that’s just one of the examples.

To prevent this, the most ideal is that you Prepared statements.

There are several ways to prepare a statement. You can use your own mysqli (through the prepare) or use other libraries, such as PDO.

  • Why the easiest way is to use PDO if it already uses mysqli?

  • In my opinion the way to prepare in PDO is simpler than in Mysqli. Personal preference. Anyway, I edited the answer to say that it is also possible to be done on Mysqli.

  • I think PHP itself recommences PDO. Because everything that is typed in the field becomes common text and is not part of the code.

  • Researching here got me into this... now this way is it safe? if (array_key_exists("register", $_POST)){ $stmt = $mysqli->prepare("INSERT INTO test (name) VALUES (?)"); $stmt->bind_param("s", $_POST['name']); $stmt->execute(); //fetching result would go here, but will be covered later $stmt->close(); } Else ; echo "ERROR";

  • you can also use addslashes in the variable you want to send

Browser other questions tagged php form post

You are not signed in. Login or sign up in order to post.