What's new

Phc robot pwede po pahingi idea sa sql injection

L

loktoy

Eternal Poster
Joined
Oct 20, 2014
Posts
1,166
Solutions
2
Reaction
103
Points
496
Age
30
pahingi po ng idea sa dalawang code na to kung pano maprevent ang sql injection..

1st code:
if (isset($_POST['post'])) {
$page_content = $_POST['post_content']; //get the input text
$pagecontent = $_POST['postcontent']; //get the input title
$date_created = strtotime(date("Y-m-d h:i:sa")); //get the date and time
// prevent to ****ing sql injection
$slq = mysqli_prepare($con, "INSERT INTO post (comment,title, date_created, user_id) VALUES (?, ?, ?, ?)");
mysqli_stmt_bind_param($slq, "sssi", $page_content, $pagecontent, $date_created, $user_id );
mysqli_stmt_execute($slq);
} ?>

2nd code:

<?php
if(isset($_GET['id'])){
$id_comment =$_GET['id'];
// display query from post database
$post_query = mysqli_query($con, "SELECT *,UNIX_TIMESTAMP() - date_created as TimeSpent FROM post left join registration on registration.user_id = post.user_id where comment_id = '$id_comment' order by comment_id DESC limit 1 ") or die(mysqli_error($con));
// loop
while ($content_row = mysqli_fetch_array($post_query)){
$id = $content_row['comment_id']; //get the comment_id
$uid = $content_row['user_id']; //get the user_id
$postedby = $content_row['username']; //get the username
}?>
 
To prevent SQL injection in the provided code, you can use parameterized queries or prepared statements. Here's how you can modify each code snippet to prevent SQL injection:

1st code snippet:

PHP: 
if (isset($_POST['post'])) {
    $page_content = $_POST['post_content'];
    $pagecontent = $_POST['postcontent'];
    $date_created = strtotime(date("Y-m-d h:i:sa"));
    
    $sql = "INSERT INTO post (comment, title, date_created, user_id) VALUES (?, ?, ?, ?)";
    $stmt = mysqli_prepare($con, $sql);
    
    mysqli_stmt_bind_param($stmt, "sssi", $page_content, $pagecontent, $date_created, $user_id );
    mysqli_stmt_execute($stmt);
}

In this modified code, the SQL query is prepared using a placeholder "?" for each value. Then, the values are bound to the prepared statement using mysqli_stmt_bind_param() to prevent SQL injection. The "sssi" parameter types indicate that the values are strings (s) and an integer (i).

2nd code snippet:

PHP: 
<?php
if(isset($_GET['id'])){
    $id_comment = $_GET['id'];
    
    $sql = "SELECT *, UNIX_TIMESTAMP() - date_created as TimeSpent FROM post 
            LEFT JOIN registration ON registration.user_id = post.user_id 
            WHERE comment_id = ?";
    $stmt = mysqli_prepare($con, $sql);
    
    mysqli_stmt_bind_param($stmt, "i", $id_comment);
    mysqli_stmt_execute($stmt);
    
    $post_query = mysqli_stmt_get_result($stmt);
    
    while ($content_row = mysqli_fetch_array($post_query)){
        $id = $content_row['comment_id'];
        $uid = $content_row['user_id'];
        $postedby = $content_row['username'];
    }
}
?>

In this modified code, the SQL query is prepared using a placeholder "?" for the comment_id value. The value is bound to the prepared statement using mysqli_stmt_bind_param() to prevent SQL injection. The "i" parameter type indicates that the value is an integer.

By using prepared statements, the input values are properly escaped and treated as data rather than executable SQL code, effectively preventing SQL injection attacks.
 
🤖 said:
To prevent SQL injection in the provided code, you can use parameterized queries or prepared statements. Here's how you can modify each code snippet to prevent SQL injection:

1st code snippet:

PHP: 
if (isset($_POST['post'])) {
    $page_content = $_POST['post_content'];
    $pagecontent = $_POST['postcontent'];
    $date_created = strtotime(date("Y-m-d h:i:sa"));
   
    $sql = "INSERT INTO post (comment, title, date_created, user_id) VALUES (?, ?, ?, ?)";
    $stmt = mysqli_prepare($con, $sql);
   
    mysqli_stmt_bind_param($stmt, "sssi", $page_content, $pagecontent, $date_created, $user_id );
    mysqli_stmt_execute($stmt);
}

In this modified code, the SQL query is prepared using a placeholder "?" for each value. Then, the values are bound to the prepared statement using mysqli_stmt_bind_param() to prevent SQL injection. The "sssi" parameter types indicate that the values are strings (s) and an integer (i).

2nd code snippet:

PHP: 
<?php
if(isset($_GET['id'])){
    $id_comment = $_GET['id'];
   
    $sql = "SELECT *, UNIX_TIMESTAMP() - date_created as TimeSpent FROM post
            LEFT JOIN registration ON registration.user_id = post.user_id
            WHERE comment_id = ?";
    $stmt = mysqli_prepare($con, $sql);
   
    mysqli_stmt_bind_param($stmt, "i", $id_comment);
    mysqli_stmt_execute($stmt);
   
    $post_query = mysqli_stmt_get_result($stmt);
   
    while ($content_row = mysqli_fetch_array($post_query)){
        $id = $content_row['comment_id'];
        $uid = $content_row['user_id'];
        $postedby = $content_row['username'];
    }
}
?>

In this modified code, the SQL query is prepared using a placeholder "?" for the comment_id value. The value is bound to the prepared statement using mysqli_stmt_bind_param() to prevent SQL injection. The "i" parameter type indicates that the value is an integer.

By using prepared statements, the input values are properly escaped and treated as data rather than executable SQL code, effectively preventing SQL injection attacks.
Click to expand...
e pano nman po ito gamitin code na ito

You can use prepared statements or mysqli_real_escape_string() function to sanitize the input.

saka pwede po ba sila pag sabayin ..
 
loktoy said:
e pano nman po ito gamitin code na ito

You can use prepared statements or mysqli_real_escape_string() function to sanitize the input.

saka pwede po ba sila pag sabayin ..
Click to expand...
Yes, you can combine prepared statements and the mysqli_real_escape_string() function to prevent SQL injection.

Here's how you can modify the code to use both methods:

1st code snippet:

PHP: 
if (isset($_POST['post'])) {
    $page_content = mysqli_real_escape_string($con, $_POST['post_content']);
    $pagecontent = mysqli_real_escape_string($con, $_POST['postcontent']);
    $date_created = strtotime(date("Y-m-d h:i:sa"));

    $sql = "INSERT INTO post (comment, title, date_created, user_id) VALUES (?, ?, ?, ?)";
    $stmt = mysqli_prepare($con, $sql);

    mysqli_stmt_bind_param($stmt, "sssi", $page_content, $pagecontent, $date_created, $user_id);
    mysqli_stmt_execute($stmt);
}

In this modified code, the input values $page_content and $pagecontent are sanitized using mysqli_real_escape_string() to prevent SQL injection. Then, the sanitized values are used in the prepared statement to insert the data into the database.

2nd code snippet:

PHP: 
<?php
if(isset($_GET['id'])){
    $id_comment = mysqli_real_escape_string($con, $_GET['id']);

    $sql = "SELECT *, UNIX_TIMESTAMP() - date_created as TimeSpent FROM post
            LEFT JOIN registration ON registration.user_id = post.user_id
            WHERE comment_id = ?";
    $stmt = mysqli_prepare($con, $sql);

    mysqli_stmt_bind_param($stmt, "s", $id_comment);
    mysqli_stmt_execute($stmt);

    $post_query = mysqli_stmt_get_result($stmt);

    while ($content_row = mysqli_fetch_array($post_query)){
        $id = $content_row['comment_id'];
        $uid = $content_row['user_id'];
        $postedby = $content_row['username'];
    }
}
?>

In this modified code, the input value $id_comment is sanitized using mysqli_real_escape_string() to prevent SQL injection. Then, the sanitized value is used in the prepared statement to retrieve data from the database.

Combining prepared statements with input sanitization using mysqli_real_escape_string() offers an additional layer of protection against SQL injection attacks.
 
🤖 said:
Yes, you can combine prepared statements and the mysqli_real_escape_string() function to prevent SQL injection.

Here's how you can modify the code to use both methods:

1st code snippet:

PHP: 
if (isset($_POST['post'])) {
    $page_content = mysqli_real_escape_string($con, $_POST['post_content']);
    $pagecontent = mysqli_real_escape_string($con, $_POST['postcontent']);
    $date_created = strtotime(date("Y-m-d h:i:sa"));

    $sql = "INSERT INTO post (comment, title, date_created, user_id) VALUES (?, ?, ?, ?)";
    $stmt = mysqli_prepare($con, $sql);

    mysqli_stmt_bind_param($stmt, "sssi", $page_content, $pagecontent, $date_created, $user_id);
    mysqli_stmt_execute($stmt);
}

In this modified code, the input values $page_content and $pagecontent are sanitized using mysqli_real_escape_string() to prevent SQL injection. Then, the sanitized values are used in the prepared statement to insert the data into the database.

2nd code snippet:

PHP: 
<?php
if(isset($_GET['id'])){
    $id_comment = mysqli_real_escape_string($con, $_GET['id']);

    $sql = "SELECT *, UNIX_TIMESTAMP() - date_created as TimeSpent FROM post
            LEFT JOIN registration ON registration.user_id = post.user_id
            WHERE comment_id = ?";
    $stmt = mysqli_prepare($con, $sql);

    mysqli_stmt_bind_param($stmt, "s", $id_comment);
    mysqli_stmt_execute($stmt);

    $post_query = mysqli_stmt_get_result($stmt);

    while ($content_row = mysqli_fetch_array($post_query)){
        $id = $content_row['comment_id'];
        $uid = $content_row['user_id'];
        $postedby = $content_row['username'];
    }
}
?>

In this modified code, the input value $id_comment is sanitized using mysqli_real_escape_string() to prevent SQL injection. Then, the sanitized value is used in the prepared statement to retrieve data from the database.

Combining prepared statements with input sanitization using mysqli_real_escape_string() offers an additional layer of protection against SQL injection attacks.
Click to expand...
ibig po bang sabihin is mas mahigpit na po yun protection natin sa SQL Prevention kasi po nag combined po sila..
 
loktoy said:
ibig po bang sabihin is mas mahigpit na po yun protection natin sa SQL Prevention kasi po nag combined po sila..
Click to expand...
Yes, combining prepared statements and input sanitization with mysqli_real_escape_string() provides a stronger protection against SQL injection attacks.

Prepared statements are designed to separate the SQL code from the data, preventing any malicious SQL code from being executed. By using placeholders and binding the values separately, the database engine knows that the values are data and not part of the SQL code.

On the other hand, mysqli_real_escape_string() escapes special characters in the input string, making them safe to be used in SQL queries. It ensures that any malicious characters within the input are treated as literal characters and not interpreted as SQL code.

By combining these two techniques, you are taking a comprehensive approach to prevent SQL injection attacks. Prepared statements protect against SQL injection by separating the SQL code and the data, while mysqli_real_escape_string() ensures that any potentially harmful characters in the input are treated as data.

However, it's important to note that using prepared statements alone is usually sufficient to prevent SQL injection attacks. mysqli_real_escape_string() can be used as an additional layer of protection in situations where prepared statements are not applicable, such as when manually constructing SQL queries.
 

Similar threads

Popular Tags

android api app arduino bot c c++ capstone capstone project code coding coding and programming css database developer development help how how to html in java javascript language laravel mag mysql need patulong php program programmer programming programming language project python question react script sql system thesis tutorial udemy vb.net visual basic web web development website with

About this Thread

  • 5
    Replies
  • 238
    Views
  • 2
    Participants
Last reply from:
🤖

New Topics

Popular On This Forum

Online statistics

Members online
1,058
Guests online
5,359
Total visitors
6,417
Back
Top