can a mysqli injection affect the php script -


so have finished creating database , use php insert data it, have been trying sql injection attacks , other things see if secure, since no expert hoping check have done secure , correct way go about.

i have this(names/variables have been modified) form , when submit button pressed, function insert() runs

<form action="" method="post">   var1: <input type="text" name="var1"><br>   var2: <input type="text" name="var2"><br>  <input type="submit" value="submit"> </form>  <php? function insert() { $connect = mysqli_connect("localhost","user","user","table"); $var1 = $_post['var1']; $var2 = $_post['var2']; mysqli_query($connect, "insert column_name (var1, var2) values ( '$var1','$var2'); "); } ?>

and can't seem inject form has var1 , var2 this

$var2 = '): drop table test --and several variants of

from looking around have found mysqli_query accept 1 query why not working. correct me if wrong.

my other idea affecting php script running, injecting form this

$var2 = "'); "); mysqli_query($connect,"drop table test");//

question: can type of thing happen? can affect php function through $post method while runs? have looked around , can't find anything. because can't?

any research papers, articles, etc. can have @ if asking obvious appreciated :)

edit: adding prepared statements make secure

sql injections use commands union run multiple queries @ once @ vulnerable place. form vulnerable, because either not using sort of escaping, nor prepared statements. if $var2 contain example hi')? escape brackets , open vulnerability. if $_post['value'] , insert directly in database, opens xss vulnerability.


Comments

Post a Comment

Popular posts from this blog

javascript - AngularJS custom datepicker directive -

i make custom datepicker directive custom template. but have no idea how start building it... how include date data directive? i appreciate guide or give me advice work on more precisely. it might you! follow below steps html code sample: <label>birth date</label> <input type="text" ng-model="birthdate" date-options="dateoptions" custom-datepicker/> <hr/> <pre>birthdate = {{birthdate}}</pre> <script type="text/ng-template" id="custom-datepicker.html"> <div class="enhanced-datepicker"> <div class="proxied-field-wrap"> <input type="text" ui-date-format="yy-mm-dd" ng-model="ngmodel" ui-date="dateoptions"/> </div> <label> <button class="btn" type="button"><i class="icon-calendar"></i>
Read more

javascript - jQuery date picker - Disable dates after the selection from the first date picker -

<!doctype html> <html lang="en"> <head> <meta charset="utf-8"> <title>jquery ui datepicker - default functionality</title> <link rel="stylesheet" href="//code.jquery.com/ui/1.11.4/themes/smoothness/jquery-ui.css"> <script src="//code.jquery.com/jquery-1.10.2.js"></script> <script src="//code.jquery.com/ui/1.11.4/jquery-ui.js"></script> <link rel="stylesheet" href="/resources/demos/style.css"> <script> $(function () { $("#datepicker1").datepicker(); }); </script> <script> $(function () { $("#datepicker2").datepicker(); }); </script> </head> <body> <p>date 1: <input type="text" id="datepicker1"></p> <p>date 2: <input type="t
Read more