tags:

views:

75

answers:

6
+1  Q: 

SQL validation!

I am pretty new in SQL so this may be a stupid question...

I have a form in PHP which fills in few fields in my SQL table. I have this code:

$sql="INSERT INTO $tbl_name
(app_name, app_path, short_desc, full_desc)
VALUES ('$_POST[app_name]', '$_POST[app_path]',
'$_POST[short_desc]', '$_POST[full_desc]')";

But even app_name and app_path are NOT NULL columns, the query can be executed if there is no text in these fields in the form.

So, my question is:

How to stop the execution of the query if there is no text in the NOT NULL fields ?

A:  
if ($app_name != "" && $app_path != "")
    $sql="INSERT INTO $tbl_name (app_name, app_path, short_desc, full_desc) VALUES ('$_POST[app_name]', '$_POST[app_path]', '$_POST[short_desc]', '$_POST[full_desc]')";
else { /* do something */ }

Use mysql_real_escape_string() to sanitize the input before running the insertion query.

Jan Kuboschek  2010-06-05 12:45:33
+3  A: 

You can test the values before trying to execute the query:

if (empty($_POST['app_path']))
{
    // Error.
}

Note also that your code could be vulnerable to SQL injection attacks. You could use mysql_real_escape_string to protect yourself against this attack:

$sql= sprintf("INSERT INTO $tbl_name
               (app_name, app_path, short_desc, full_desc)
               VALUES ('%s', '%s', '%s', '%s')",
               mysql_real_escape_string($_POST['app_name']),
               mysql_real_escape_string($_POST['app_path']),
               mysql_real_escape_string($_POST['short_desc']),
               mysql_real_escape_string($_POST['app_full_desc']));
Mark Byers  2010-06-05 12:46:15
Thanks... It's so simple :).
Filip  2010-06-05 13:26:13
$_POST[app_path] will raise at least one E_NOTICE because you forgot to quote app_path, and possibly another one if the value is not defined. What you should be doing is `empty($_POST["app_path"])`.
Matti Virkkunen  2010-06-05 13:33:43
@Matti Virkkunen: Nice! I'm surprised no-one else here suggested that yet.
Mark Byers  2010-06-05 13:38:58
A: 

Btw, empty string and NULL is not the same thing. http://dev.mysql.com/doc/refman/5.0/en/working-with-null.html

And validate variables before execute the query.

Anpher  2010-06-05 12:46:38
+5  A: 

Please do not do it like this, you are writing code with SQL injection vulnerabilities. You are also making programming fairies die.

Look into Prepared statements. After that, take the advice in other answers here on checking the values first.

Dan McGrath  2010-06-05 12:48:28
This. Parametrized queries is where it's at nowadays, constructing query strings by hand is yesteryear.
Matti Virkkunen  2010-06-05 12:54:08
Don't worry. This form is just for admins. But the login form is secure.Thanks anyway.
Filip  2010-06-05 13:03:21
@Filip: Considering that it'll break if you type an apostrophe into the description field, I'd say it's at least an annoyance for the admins too. Also, this is no excuse to leave things unsecured. It's best to stick to the proper way of doing things all the time, so you don't forget it when it's really needed.
Matti Virkkunen  2010-06-05 13:05:42
"This form is just for admins" => I don't remember where I read it, so take it as you like, but it seems that about 80% of real company data detroyed in this manner are valid, logged in, possibly disgruntled employees. Do NOT trust logged in users. Maybe not even yourself :P
Wrikken  2010-06-05 13:11:12
+1 @ Wrikken. I hate it when people say something like "it is only for internal users". I'm also sick of dealing with vendor software that has these exact same issues. Sometimes I feel like there should be laws about selling software that disregards best-practices with security.
Dan McGrath  2010-06-05 13:15:13
Somehow it's a good point this thing with the admin form security :). I'll do some work on it too...
Filip  2010-06-05 13:25:11
A: 

They are probably blanks/empty strings, an empty string is not the same as NULL

but you have bigger problems here, your code is vulnerable to SQL Injection

SQLMenace  2010-06-05 12:48:37
A: 

Empty strings are not null, so nothing bad would happen even if you did insert that. However, if you really want to abort, then Same as @Jan's solution, however I can't upvote it because he didn't correct you on a very important point having to do with escaping user's strings and SQL injection attacks.

UPDATE now he did :) Anyway, see? Ask one question, get another much more valuable one answered by everybody! :)

Amadan  2010-06-05 12:51:39

related questions

Remove Quotes and Commas from a String in MySQL
What's the best way of converting a mysql database to a sqlite one?
How do you manage databases in development, test, and production?
Multiple foreign keys?
Add 1 to a field (MySQL)
Issues using MS Access as a front-end to a MySQL database back-end?
Bigger than a char but smaller than a blob
How do I retrieve my MySQL username and password?
Long-time LAMP Developer moving to VB.NET
How do I Concatenate entire result sets in MySQL?
Full complete MySQL database replication? Ideas? What do people do?
SQL: Distribution of table in time
SQLite vs MySQL
How do I create a new Ruby on Rails application using MySQL instead of SQLite?
Multiple Updates in MySQL
MySQL/Apache Error in PHP MySQL query
What all do I need to escape when sending a (My)SQL query?
Auto Generate Database Diagram MySQL
Mechanisms for tracking DB schema changes
How big can a MySQL database get before performance starts to degrade.
Python and MySQL
SQL Server 2005 implementation of MySQL REPLACE INTO?
How to export data from SQL Server 2005 to MySQL
Throw Error In MySQL Trigger
Binary Data in MySQL