asmar
July 28, 2013, 5:26am
1
Hi all,
I’m trying to alter a piece of code to include the mysqli_real_escape_string to avoid sql injections and I would like to ask if the following code is properly written as I’m not quiet sure how to test it.
Original code:
if(($rss_title !='') && ($rss_url !=''))
{
$query=mysqli_query($GLOBALS["___mysqli_ston"], "insert into rss (title, url, published, lang) values ('$rss_title', '$rss_url', '1', '$_SESSION[session_lang]')");
}
Altered code:
if(($rss_title !='') && ($rss_url !=''))
{
$query=mysqli_query($GLOBALS["___mysqli_ston"], "insert into rss (title, url, published, lang) values ('$rss_title', '$rss_url', '1', '$_SESSION[session_lang]')");
$query = mysqli_real_escape_string($GLOBALS["___mysqli_ston"], $rss_title, $rss_url, $_SESSION);
}
Thanks
MarPlo
July 28, 2013, 6:06am
2
Hi,
Try this (the valuest must be filtered with mysqli_real_escape_string() not the whole sql query).
if($rss_title !='' && $rss_url !='') {
$query = mysqli_query($GLOBALS["___mysqli_ston"], "insert into rss (title, url, published, lang) values ('". mysqli_real_escape_string($rss_title) ."', '". mysqli_real_escape_string($rss_url) ."', '1', '". mysqli_real_escape_string($_SESSION[session_lang]) ."')");
}
You shouldn’t ever need to use mysqli_real_escape_string as an even better solution is to use prepare and bind that makes injection completely impossible by keeping the data completely separate from the SQL
asmar
July 28, 2013, 1:25pm
4
Thanks a lot for the replies.
Felgal, would you mind giving an example of the above code but with prepare statements?
Thanks a lot
$stmt = $GLOBALS["___mysqli_ston"]->prepare("insert into rss (title, url, published, lang) values (?, ?, ?, ?)");
$stmt->bind_param('ssds', $rss_title, $rss_url, 1, $_SESSION[session_lang]);
asmar
July 30, 2013, 11:13am
6
Many thanks Felgall.
The code however throws the following error:
Fatal error: Cannot pass parameter 4 by reference in /opt/lampp/htdocs/modules/rss/admin-rss.php on line 61
where line 61 is:
$stmt->bind_param(‘ssds’, $rss_title, $rss_url, 1, $_SESSION[session_lang]);
Any ideas?
asmar
July 30, 2013, 11:28am
7
Ignore my last post, I figure it out. I needed to pass the value 1 into a variable to work.
Many thanks for your help.
asmar
July 30, 2013, 12:07pm
8
For some reason the session is not getting properly via the prepare statement.
This is my existing code which seems to work fine but only for one language as it doesn’t get the session_lang. Any ideas?
$stmt = $GLOBALS["___mysqli_ston"]->prepare("insert into rss (title, url, published, lang) values (?, ?, ?, ?)");
$my_var = 1;
$stmt->bind_param('ssds', $rss_title, $rss_url, $my_var, $_SESSION[session_lang]);
$stmt->execute();
$stmt->close();