TechQA.

PHP code inserting empty values in SQL table after adding filter_var

132 views Asked by At

After adding filter_var and then sanitizing the input, my php code now inserts empty values in SQL table. My code worked fine before hand, but now doesn't work. How come? I'm trying to sanitize input so no one can hack my data. 

<?php
$servername = "localhost";
$username = "****";
$password = "*********";
$dbname = "app";

try {
    $conn = new PDO("mysql:host=$servername;dbname=$dbname", $username, $password);
// set the PDO error mode to exception
    $conn->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);

// prepare sql and bind parameters
    $stmt = $conn->prepare("INSERT INTO MyGuests (firstname, lastname, email) VALUES (:firstname, :lastname, :email)");
    $stmt->bindParam(':firstname', $firstname);
    $stmt->bindParam(':lastname', $lastname);
    $stmt->bindParam(':email', $email);

// insert a row

    $firstname = filter_var($firstname, FILTER_SANITIZE_STRING, $_POST["firstname"]);
    $lastname = filter_var($lastname, FILTER_SANITIZE_STRING, $_POST["lastname"]);
    $email = filter_var($email, FILTER_SANITIZE_EMAIL, $_POST["email"]);
    $stmt->execute();


    echo "New records created successfully";
}
catch(PDOException $e)
{
    echo "Error: " . $e->getMessage();
}
$conn = null;
?>
php pdo sanitization filter-var
Original Q&A
1

There are 1 answers

0
Sunny Patel On BEST ANSWER

Looks like you aren't passing the right variables into filter_var and not checking if the data is valid.

// prepare sql and bind parameters
$stmt = $conn->prepare("INSERT INTO MyGuests (firstname, lastname, email) VALUES (:firstname, :lastname, :email)");

// Validate input *BEFORE* binding to statement
$firstname = filter_var($_POST["firstname"], FILTER_SANITIZE_STRING);
$lastname = filter_var($_POST["lastname"], FILTER_SANITIZE_STRING);
$email = filter_var($_POST["email"], FILTER_SANITIZE_EMAIL);

if ($firstname && $lastname && $email) {
    $stmt->bindParam(':firstname', $firstname);
    $stmt->bindParam(':lastname', $lastname);
    $stmt->bindParam(':email', $email);

    // insert a row
    $stmt->execute();

    echo "New records created successfully";
} else {
    echo "Failed Data Check: First Name (" . $firstname . ") - Last Name (" . $lastname . ") - EMail (" . $email . ")" ;
}

You'll probably want to adjust the last debug line.

Related Questions in PHP

Related Questions in PDO

Related Questions in SANITIZATION

Related Questions in FILTER-VAR

Popular Questions

Popular Tags

javascript python java c# php android html jquery c++ css ios sql mysql r reactjs node.js arrays c asp.net json

Trending Questions