PHP Script to take a database backup

PHP
,
21

<input type="checkbox" class="checkbox_table" name="table[]" value="<?php echo $table["Tables_in_swisskni_testpod"]; ?>" /> <?php echo $table["Tables_in_swisskni_testpod"]; ?>

the above PHP code is connected to this one →

if(isset($_POST['table'])){
  $output = '';
  echo ("<pre>");
  print_r($_POST['table']);
  echo ("</pre>");
  foreach($_POST["table"] as $table) {
    echo "$table <br>";
    $show_table_query = "SHOW CREATE TABLE " . $table . "";
    $statement = $connect->prepare($show_table_query);
    $statement->execute();
    $show_table_result = $statement->fetchAll();
      foreach($show_table_result as $show_table_row)
      {
        echo ("<pre>");
        print_r($show_table_result);
        echo ("</pre>");
      }
  }
}

In fact, $_POST comes into the picture when the form is submitted.

``$_POST[‘table’] what is it referring to among these:

type="checkbox" 
class="checkbox_table" 
name="table[]"  
value="<?php echo $table["Tables_in_swisskni_testpod"]; ?>" />

I think this is the name="", which is an array here?

22

The keys for $_POST are filled by the name attributes of your form fields. [] does indicate that the form will send an array of data.

The values for $_POST are the value attribute of the form field, which for certain form fields (like a checkbox) have a default value, and for others (like a text input) is variable.

1 Like
23

That means:

$_POST[0]
$_POST[1]
$_POST[2]

And so on ____

when you say The *values* for $_POST you mean $table is acting as that value?

Print_r is not working on

print_r($_POST['table']);

if(isset($_POST['table'])){
  $output = '';
  foreach($_POST["table"] as $table) {
    echo ("<pre>");
    print_r($_POST['table']);
    echo ("</pre>");
    $show_table_query = "SHOW CREATE TABLE " . $table . "";
    $statement = $connect->prepare($show_table_query);
    $statement->execute();
    $show_table_result = $statement->fetchAll();
      foreach($show_table_result as $show_table_row)
      {
        echo ("<pre>");
        print_r($show_table_result);
        echo ("</pre>");
      }
  }
}
24

What about

var_dump($_POST);

What does that show?

25

Letme try.

26

It gives nothing:

image
image1073×448 30.7 KB

http://html.trafficopedia.com/all/dbbackup/

27

Really? If I check two of the checkboxes and submit the form, it gives me:

array(2) {
  ["table"]=>
  array(2) {
    [0]=>
    string(4) "cars"
    [1]=>
    string(5) "makes"
  }
  ["submit"]=>
  string(6) "Export"
}

and then describes some database tables.

1 Like
29

Ok so if we use both:

echo ("<pre>");
  print_r($_POST['table']);
  var_dump($_POST);
echo ("</pre>");

It gives us:

Array
(
    [0] => cars
    [1] => makes
    [2] => names
    [3] => savings
)
array(2) {
  ["table"]=>
  array(4) {
    [0]=>
    string(4) "cars"
    [1]=>
    string(5) "makes"
    [2]=>
    string(5) "names"
    [3]=>
    string(7) "savings"
  }
  ["submit"]=>
  string(6) "Export"
}

That means this is a whole array:

$_POST['table'] with entries:

Array
(
    [0] => cars
    [1] => makes
    [2] => names
    [3] => savings
)

This var_dump($_POST); gives everything.

30 
foreach($_POST["table"] as $table) {
    
}

In the above part If my understanding of the basic PHP is not wrong then $table act as a counter.

$_POST[“table”] have 4 items. that means $table stands as a placeholder variable to which values will be assigned from array as the loop will run 4 times(assuming all checkboxes are ticked otherwise number will be different based on 3 of checkboxes ticked).
$table can be anything such as $anything.

correct me if I am wrong part of my understanding.

31

not a counter.

that is… roughly accurate.

that is correct.

In general this is true, but in this case, $table should be a string - a table name, that corresponds to the value of the checkbox from your form.

In practice, you should be careful with this form of query construction; you should be using prepared statements properly to execute your query, rather than a literal string query, which is what you’re doing now.

1 Like
32

What does that mean?

If we would have used this then this wont have worked?

foreach($_POST["table"] as $tomcruise) {
//Code statements here
}

Can you please help me more in understanding this →

33

What I mean is, if we knew nothing about the variables, then this statement is true:

foreach ($anarray AS $avalue) {

“$avalue can be anything”
This is true, $avalue could be anything - a string, a number, another array, anything.

But in your example, you know what $table SHOULD be - on each iteration of the loop it should be a string, and that string should be a table name in your database. (Note, I use the word ‘should’ here, because we don’t know for a fact that it is, because we haven’t sanitized the input.

If I sent your webpage a $_POST[‘table’] value that says 'table1'; DROP TABLE cars;, what happens to your database?

34

Nothing will happen table1 is not table cars.

35

incorrect.

Your PHP code says this:
$show_table_query = "SHOW CREATE TABLE " . $table . "";

So, if $table is 'table1'; DROP TABLE cars;, your $show_table_query becomes:
"SHOW CREATE TABLE 'table1'; DROP TABLE cars;"

This is perfectly valid SQL - it’s two queries. The first returns a query description of the table, the second deletes the cars table from the database.

This is the very basic form of SQL injection. It’s also what prepared statements are designed to prevent.

1 Like
36

Ok. So how can we sanitize that? Is there any recommendation to study PHP security?

37

I think the point is that if you use prepared statements instead of just concatenating strings into your query string, that will have the effect of sanitising the input.

1 Like
38

How?
Can you help me with an example.

39

This seems to be a popular site to refer to : https://phptherightway.com/#pdo_extension

1 Like
40

Some similar discussion was done here:

41

This topic was automatically closed 91 days after the last reply. New replies are no longer allowed.