Register a SA Forums Account here!
JOINING THE SA FORUMS WILL REMOVE THIS BIG AD, THE ANNOYING UNDERLINED ADS, AND STUPID INTERSTITIAL ADS!!!

You can: log in, read the tech support FAQ, or request your lost password. This dumb message (and those ads) will appear on every screen until you register! Get rid of this crap by registering your own SA Forums Account and joining roughly 150,000 Goons, for the one-time price of $9.95! We charge money because it costs us money per month for bills, and since we don't believe in showing ads to our users, we try to make the money back through forum registrations.
The Something Awful Forums > Discussion > Serious Hardware/Software Crap > The Cavern of COBOL > <?PHP questions that don\\'t need their own thread ?>
 
  • Post
  • Reply
teen phone cutie
Jun 18, 2012

last year i rewrote something awful from scratch because i hate myself
I'm having a problem with telling if my function to negate SQL injections is working correctly or not.

The point of it is to get rid of the slashes that end the query and then replace them back because this is a dictionary application and I'd like to accept all characters.

This is what my functions to clean the input look like:



and here's my queries to input a word and definition look like:



I ran this add_word function with and without cleaning and I got two results. The first circled row is with the clean function but I cannot tell if it's still possible to harm my database or not. I'm assuming the second row is a unwanted result, but I'm not really sure.



How do SQL injections even work? I really don't understand them that well.

teen phone cutie fucked around with this message at 05:18 on Nov 25, 2015

* # ¿ Nov 25, 2015 04:57
  • Quote
Adbot
ADBOT LOVES YOU

# ¿ May 15, 2024 17:38
  • Quote
teen phone cutie
Jun 18, 2012

last year i rewrote something awful from scratch because i hate myself
PHP newbie here. I'm trying to make a form that submits data to a database. I have the database set up fine, got it connected and disconnected properly. And I can even get the data submitting. The only problem is I'm trying to create functions to make the process easier and I'm having issues.

My index page:

code:
<?php require_once('connection/databaseconnect.php'); ?>
<?php require_once('functions.php'); ?>

<?php
//if the form is submitted, run the add_word function
if(isset($_POST['submit'])){
	add_word("$_POST");
}
?>

<!DOCTYPE html>
<html>
<head>
	<title>Test App</title>
</head>
<body>
<form method="post" name = "add_word">
	<input for="word" type="text" name="word" maxlength="30">
	<input type="submit" name="submit">
</form>

</body>
</html>

<?php require_once('connection/databasedisconnect.php'); ?>
My functions file:

code:
<?php
require_once('connection/databaseconnect.php');

function clean($a){
	$cleaned = mysqli_real_escape_string($connection, $a);
}

//extract data from the submitted form, clean for injections, then put the cleaned
// word into the database table
function add_word($info){
	extract($info);
	$cleaned_word = clean("$word");
	$query = "INSERT INTO words (word) VALUES ('$cleaned_word')";
	$result = mysqli_query($connection, $query);
}

?>
I know the add_word is running because if I echo $word, the value of the text form comes up just fine. I just can't get it added to the database

Also, I know extract with $_POST is bad practice, but I'm just practicing.

* # ¿ Dec 29, 2016 22:19
  • Quote
teen phone cutie
Jun 18, 2012

last year i rewrote something awful from scratch because i hate myself
Okay. I tried fixing that stuff:

code:
function add_word($word){
	echo $word; //WORKING: echos the value from the text field
	$cleaned_word = clean("$word");
	$query = "INSERT INTO words (word) VALUES ('$cleaned_word')";
	$result = mysqli_query($connection, $query);
}
running the function

code:
if(isset($_POST['submit'])){
	add_word($_POST["word"]);
}
Still not workin

* # ¿ Dec 29, 2016 22:40
  • Quote
teen phone cutie
Jun 18, 2012

last year i rewrote something awful from scratch because i hate myself
Okay. It's working and I got the clean function going as well.

PHP is weird, man. I miss JQuery right now

Also, will that clean function protect me from every SQL injection? Is there better ways of doing it or is real escape string efficient enough?

teen phone cutie fucked around with this message at 23:11 on Dec 29, 2016

* # ¿ Dec 29, 2016 23:09
  • Quote
teen phone cutie
Jun 18, 2012

last year i rewrote something awful from scratch because i hate myself

Luxury Communism posted:

old post but,

extract() has its uses. The example that comes to mind is before require()-ing a template.php inside a render() function

yeah I ended up fixing that.

I was just watching Lynda tutorials at work bc I was bored and was trying to make a simple CRUD. The only time I ever worked in PHP was while I was still in school, and never really got the chance to wrap my brain around it.

I'm wondering if it's even worth learning or if it's more valuable to learn Node js as a server-side language, as I'm mainly working with Javascript at work.

* # ¿ Feb 14, 2017 23:50
  • Quote
teen phone cutie
Jun 18, 2012

last year i rewrote something awful from scratch because i hate myself
EDIT: Post about a delete function. I ended up making unique pages for each row in my table and then adding a delete button on each page.

I originally wanted to list them all and have a delete button next to each item in the list, but I decided that was over my head, so I did it this way instead.

Hey! I'm getting better at PHP CRUD!

PHP code:
//Delete function. Grabs the id from the url then compares it to the id in the row 
//and deletes the appropriate row
function delete_word(){
	global $connection;
	$url_id = $_GET['id'];
	$query = "DELETE FROM words WHERE id = '".$url_id."'";
	if(mysqli_query($connection, $query)){
		echo "Deleted!";
		echo ("<SCRIPT LANGUAGE='JavaScript'>
    window.alert('Succesfully Updated')
    window.location.href='index.php';
    </SCRIPT>");
	}
	else{
		echo "ERROR";
	}
}

teen phone cutie fucked around with this message at 20:42 on Feb 15, 2017

* # ¿ Feb 15, 2017 16:28
  • Quote
teen phone cutie
Jun 18, 2012

last year i rewrote something awful from scratch because i hate myself

rt4 posted:

The most important thing about that code sample is that it takes user in put from $_GET['id'] and sticks it directly into a query. You need to use a parameterized query to prevent a malicious user from carrying out an SQL injection attack.

http://php.net/manual/en/pdo.prepare.php

So something like this? I don't need to fetch or bind my results since I'm deleting, correct?

I kinda understand, but the documentation isn't doing a great job of explaining why this is protecting against malicious attacks.

e: I'll probably get around to playing with PDO after I complete this CRUD app. Just wanna get some basic understanding down first.

PHP code:
function delete_word(){
	global $connection;
	$url_id = $_GET['id'];
	if ($executed = mysqli_prepare($connection, 'DELETE FROM words WHERE id =?')){
		//binds parameters for markers (i=integer)
		mysqli_stmt_bind_param($executed, "i", $url_id);
		//execute the query
		mysqli_stmt_execute($executed);
		//close statement
		mysqli_stmt_close($executed);
	}
}

teen phone cutie fucked around with this message at 22:35 on Feb 20, 2017

* # ¿ Feb 20, 2017 22:22
  • Quote
teen phone cutie
Jun 18, 2012

last year i rewrote something awful from scratch because i hate myself

McGlockenshire posted:

Yes, only you also need to check that the query executed successfully. mysqli_stmt_execute returns a boolean.

So is this as simple as wrapping mysqli_stmt_execute in an "if" statement?

McGlockenshire posted:

Imagine a world where id = '1 OR 1 = 1'. If you were doing plain old string concat, your query would end up being DELETE FROM words WHERE id =1 OR 1 = 1. The "OR 1=1" clause will match every single row in the table.

With the prepared statement, the string '1 OR 1 = 1' would be filled in where the question mark is, complete with what are effectively quotes. Using prepared statements gives you a good degree of certainty that users will not be able to manipulate your SQL commands. (There are ways to gently caress up prepared statements with MySQL, but most of them rely on some pretty deep character encoding magic poo poo and you shouldn't worry about that quite yet. It's easy enough to defend against but there's an education barrier to doing it right.)

Further, if id is only and must only be a positive whole integer, you need to validate that separately. You should be passing the id to delete to the function, not have the function pull it out of $_GET, and the code doing the calling should be responsible for making sure that it's going to pass that function a positive whole integer.

Thanks. This is super helpful. I have never been able to wrap my head around SQL injections

teen phone cutie fucked around with this message at 18:09 on Feb 21, 2017

* # ¿ Feb 21, 2017 16:29
  • Quote
teen phone cutie
Jun 18, 2012

last year i rewrote something awful from scratch because i hate myself
This might be a longshot, but has anyone used curl in PHP to connect to the BigCommerce API?

* # ¿ Mar 16, 2017 19:18
  • Quote
teen phone cutie
Jun 18, 2012

last year i rewrote something awful from scratch because i hate myself
Yup. That's the exact documentation I've been staring at for an hour.

Been trying to connect to this loving API through PHP with no luck.

e: Got it to connect through Curl. gently caress PHP man

teen phone cutie fucked around with this message at 22:30 on Mar 16, 2017

* # ¿ Mar 16, 2017 22:06
  • Quote
teen phone cutie
Jun 18, 2012

last year i rewrote something awful from scratch because i hate myself
What are some good resources for learning how to connect to rest APIs with OAuth?

The specific one i want to work with has some instructions to connect with curl but I'd like to lean how to work with APIs in either PHP or node js

This is coming from someone who has a pretty small amount of experience with the backend.

* # ¿ Jun 8, 2017 23:35
  • Quote
teen phone cutie
Jun 18, 2012

last year i rewrote something awful from scratch because i hate myself
Does anyone have any recommendations for beginner PHP tutorials for creating REST APIs?

teen phone cutie fucked around with this message at 19:24 on Dec 7, 2017

* # ¿ Dec 7, 2017 16:29
  • Quote
teen phone cutie
Jun 18, 2012

last year i rewrote something awful from scratch because i hate myself
Well i guess the reason I want to learn REST practices in PHP is mostly because we use PHP at work on our apps.

And i’ve been making my best attempt to be more of a full stack developer, as I’ve pretty much been doing frontend through my career.

But I’ll be sure to read through the docs of these frameworks and see what i like!

* # ¿ Jan 12, 2018 14:24
  • Quote
Adbot
ADBOT LOVES YOU

# ¿ May 15, 2024 17:38
  • Quote
teen phone cutie
Jun 18, 2012

last year i rewrote something awful from scratch because i hate myself
We built our own, but it implements alot of the same ideas as Laravel, from what i’ve been told

* # ¿ Jan 12, 2018 14:43
  • Quote
  • 1
  • 2
  • 3
  • 4
  • 5
  • Post
  • Reply
The Something Awful Forums > Discussion > Serious Hardware/Software Crap > The Cavern of COBOL > <?PHP questions that don\\'t need their own thread ?>