Click here to Skip to main content
15,561,817 members
Please Sign up or sign in to vote.
1.00/5 (1 vote)
See more:
Hello members of the programming technorati. I come to you with an issue that I cannot seem to solve. I am trying to insert encrypted data into a mariadb table with no success. here is the code:

PHP
$insert_sql= "insert into loan_tbl
set clientID = '".$clientID."', 
loanID ='".$loanID."',
ewal_addr ='".$ewal_addr."',
etitle ='".$etitle."',
efname ='".$efname."',
elname ='".$elname."',
emarital_stat = '".$emarital_stat."',
eEmail ='".$eEmail."',
ephone ='".$ephone."',
edob_mon ='".$edob_mon."',
edob_day ='".$edob_day."',
edob_yr ='".$edob_yr."',
eaddr1 ='".$eaddr1."',
eaddr2 ='".$eaddr2."',
ecity ='".$ecity."',
estate ='".$estate."',
ezipcode= '".$ezipcode."',
ecountry ='".$ecountry."',
ejob_title ='".$ejob_title."',
eEmployer ='".$eEmployer."',
eyrs_at_job ='".$eyrs_at_job."',
emon_income = '".$emon_income."',
erent_mort ='".$erent_mort."',
eques_money_for_exp ='".$eques_money_for_exp."',
eques_retire ='".$eques_retire."',
eques_debt_paid_off ='".$eques_debt_paid_off."',
eques_cover_exp ='".$eques_cover_exp."',
eques_talk_fin_adv ='".$eques_talk_fin_adv."',
eques_big_buy ='".$eques_big_buy."',
eques_15_retire ='".$eques_15_retire."',
eques_paid_off_home ='".$eques_paid_off_home."',
eform_fact ='".$eform_fact."' ";



If ($insert_sql === TRUE){
echo "Table has been updated!";
}else{
echo "ERROR updating loan_tbl!";
}


What I have tried:

I have tested the encrypt and decrypt php code successfully. the encrypted data is not long; about 20 characters.but I just can't get the information into mariadb. I connect to the database successfully. but I cant insert the data into the table. Please advise.
thanks in advance.
Batoe
Posted
Updated 1-Nov-22 15:04pm
Comments
Richard Deeming 2-Nov-22 5:11am    
Your code is vulnerable to SQL Injection[^]. NEVER use string concatenation/interpolation to build a SQL query. ALWAYS use a parameterized query.

PHP: SQL Injection - Manual[^]
Richard Deeming 2-Nov-22 5:12am    
Except you never actually execute the SQL string, so you're not trying to insert anything. All you're doing is testing whether the string is exactly equal to TRUE, which will never be the case.
Tony Starke 2-Nov-22 8:20am    
I use php sanitize function to remove malicious code from the data that is submitted.
Richard Deeming 2-Nov-22 8:42am    
Why? You only need to forget to call it once, or for one person to find a bug in that function, and your database is toast.

Use a properly parameterized query ever time, and you never need to worry about it. The code and the data can never be confused.

Also, you'll avoid having to fight with finding an acceptable literal representation for values other than strings and numbers, since the values won't need to be inserted into a string of SQL code.

1 solution

 
Share this answer
 

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)



CodeProject, 20 Bay Street, 11th Floor Toronto, Ontario, Canada M5J 2N8 +1 (416) 849-8900