3 Replies - 2147 Views - Last Post: 21 November 2011 - 07:20 PM Rate Topic: -----

#1 swim_fan08  Icon User is offline

  • D.I.C Head

Reputation: 0
  • View blog
  • Posts: 238
  • Joined: 19-February 09

Prepared statements question

Posted 19 November 2011 - 06:53 PM

I have a few questions on the prepared statements I am using. First, did I code correctly? I was a little confused because this is my first time using prepared statements. Second question, do prepared statements protect against xss and html injections?

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<!-- 
Author: Reality Software 
Website: http://www.realitysoftware.ca 
Note: This is a free template released under the Creative Commons Attribution 3.0 license,  
which means you can use it in any way you want provided you keep the link to the author intact. 
--> 
<html xmlns="http://www.w3.org/1999/xhtml"> 
<head> 
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> 
<title></title> 
<link href="style.css" rel="stylesheet" type="text/css" /></head> 
<body> 
 
 
    <!-- header --> 
    <div id="header"> 
        <div id="logo"><a href="index.html">Header</a></div> 
        <div id="menu"> 
            <ul> 
            <li><a href="index.html">Home</a></li> 
            <li><a href="">Link 1</a></li> 
            <li><a href="">Link 2</a></li> 
            <li><a href="">Link 3</a></li> 
            <li><a href="">Contact</a></li> 
        <li><a href="guestbook.php">Guestbook</a></li> 
                  </ul>    
  </div> 
</div>
<div id="icon"><a href="twitter.com/"> 
<img border="0" src="http://www.000webhost.com/forum/images/twitter.png" alt="twitter" width="58px;" height="53px;" /> 
</a></div> 

    <!--end header --> 
    <!-- main --> 
    <div id="main"> 
    <div id="content">   
  
  
 <div id="text"> 
                <h1><strong>Guestbook</strong></h1> 
</div> 
 
<?php   
$db = new mysqli("localhost", "a7560006_host", "mypassword", "a7560006_guest");
$preparedStatement1 = $db->prepare('SELECT * FROM guestbook WHERE name = ?'); 
$preparedStatement1 ->bind_param("s", $name);
$preparedStatement1 ->execute();
$prerapedStatement1->bind_result($comment_id,$name,$comment,$datetime);
$preparedStatement1->store();

$preparedStatement2 = $db->prepare('SELECT * FROM guestbook WHERE verif_box = ?'); 
$preparedStatement2 ->bind_param("s", $verif_box);
$preparedStatement2 ->execute();
$prerapedStatement1->bind_result($comment_id,$name,$comment,$datetime);
$preparedStatement2->store();

while($preparedStatement1->fetch()){

$mysql_host = "localhost";
$mysql_database = "a7560006_guest";
$mysql_user = "a7560006_host";
$mysql_password = "mypassword";
 
// Connect to server and select database.
mysql_connect("$mysql_host", "$mysql_user", "$mysql_password") or die("cannot connect server");
mysql_select_db("$mysql_database") or die("cannot select DB");

$tbl_name="guestbook"; // Table name 
 
$name = ($_POST['name']); 
$comment = ($_POST['comment']); 
 
$datetime=date("M-d-Y h:i:s A"); //date time   
$verif_box = ($_POST['verif_box']);   
  
if(md5($verif_box).'a4xn' != $_COOKIE['tntcon']){ ?> 
<table width="400" border="0" align="center">    
<tr><td align="center"><h4>You have not entered captcha or entered incorrect captcha!</h4></td></tr>      
</table>  
        
</div>  
     <!-- footer --> 
    <div id="footer"> 
    <div id="left_footer">&copy; Copyright 2011<strong> Author </strong></div> 
    <div id="right_footer"> 
 
<!-- Please do not change or delete this link. Read the license! Thanks. :-) --> 
Design by <a href="http://www.realitysoftware.ca" title="Website Design">Reality Software</a> 
 
    </div> 
    </div> 
    <!-- end footer --> 
    </div>           
    <!-- end main --> 
     
</body> 
</html> 
 
<? 
exit;  
} 
 
if(empty($name) || empty($comment)) { ?>    
  <table width="400" border="0" align="center">    
  <tr><td align="center"><h3>Sorry, all fields are required!</h3></td></tr>      
  </table>    
<?      
} else {    
 
$sql="INSERT INTO $tbl_name (name, comment, datetime) VALUES ('$name', '$comment', '$datetime')";   
$result=mysql_query($sql);   
 
//check if query successful   
if($result) { ?>  
<table width="400" border="0" align="center">    
<tr><td align="center"><h3>Thank you for signing my guestbook!</h3></td></tr>      
</table>    
<?   
echo "<meta http-equiv='Refresh' content='1; URL=viewguestbook.php'>";  // link to view guestbook page   
} else {   
echo "ERROR";   
}   
 
mysql_close();  
}  
?> 
 
</div>  
 
     <!-- footer --> 
    <div id="footer"> 
    <div id="left_footer">&copy; Copyright 2011<strong> Author </strong></div> 
    <div id="right_footer"> 
 
<!-- Please do not change or delete this link. Read the license! Thanks. :-) --> 
Design by <a href="http://www.realitysoftware.ca" title="Website Design">Reality Software</a> 
 
    </div> 
    </div> 
    <!-- end footer --> 
    </div>           
    <!-- end main --> 
 
</body> 
</html>



Is This A Good Question/Topic? 0
  • +

Replies To: Prepared statements question

#2 CTphpnwb  Icon User is offline

  • D.I.C Lover
  • member icon

Reputation: 2889
  • View blog
  • Posts: 10,002
  • Joined: 08-August 08

Re: Prepared statements question

Posted 19 November 2011 - 08:51 PM

Prepare statements protect against SQL injection attacks. Cross site scripting attacks work on client side code, as do HTML injections.

PHP and MySQL are server side. Your code is a mix of PHP and HTML, so you've jumbled together two languages that run on two different machines. That's a good way to confuse yourself into a pattern of thinking that allows you to wonder if prepared statements can prevent XSS attacks. Separate your code.
Was This Post Helpful? 3
  • +
  • -

#3 codeprada  Icon User is offline

  • Changed Man With Different Priorities
  • member icon

Reputation: 944
  • View blog
  • Posts: 2,353
  • Joined: 15-February 11

Re: Prepared statements question

Posted 19 November 2011 - 09:20 PM

Hey

You've got the concept sorta right but there are a few flaws in your code. You've been using $preparedStatement1->store() throughout your code and MySQLi_STMT does not contain such a function.

I don't see the purpose of your second query since you never bound the results to variables or fetched them. If you need to select the rows in which their name and verif_box are equal to a certain value then I'd say this should work just fine.
SELECT * FROM guestbook WHERE name = ? and verif_box = ?

Why did you switch to MySQL later on in your code?

php.net provides some pretty nice examples in which you can follow.
Was This Post Helpful? 2
  • +
  • -

#4 swim_fan08  Icon User is offline

  • D.I.C Head

Reputation: 0
  • View blog
  • Posts: 238
  • Joined: 19-February 09

Re: Prepared statements question

Posted 21 November 2011 - 07:20 PM

I switched to MySQL later on because I thats how I started my guestbook, and then later on I added my code to prevent injections.
Was This Post Helpful? 0
  • +
  • -

Page 1 of 1