Commit 387e0ea1 authored by Sorrel Harriet's avatar Sorrel Harriet

adding an insecure version of add record

parent 98418301
......@@ -34,6 +34,9 @@ case 'orders' :
case 'order' :
include 'views/order.php';
break;
case 'add-record' :
include 'views/add-record-insecure.php';
break;
default :
include 'views/404.php';
}
......
<?php
$content = "<h1>Add a record</h1>";
// define a variable with path to the script which will process form
// -> $_SERVER["PHP_SELF"] is a path to the current script (index.php)
// -> htmlspecialchars() is used to replace special characters with HTML entities */
$action = htmlspecialchars($_SERVER["PHP_SELF"]."?page=add-record");
// fetch the artists so that we have access to their names and IDs
$sql = "SELECT id, first_name, last_name
FROM artist
ORDER BY last_name";
$result = mysqli_query($link, $sql);
// check query returned a result
if ($result === false) {
echo mysqli_error($link);
} else {
$options = "";
// create an option for each artist
while ($row = mysqli_fetch_assoc($result)) {
$options .= "<option value='".$row['id']."'>";
$options .= $row['first_name']." ".$row['last_name'];
$options .= "</option>";
}
}
// define the form HTML (would ideally be in a template)
$form_html = "<form action='".$action."' method='POST'>
<fieldset>
<label for='ean'>EAN (required):</label>
<input type='text' name='ean'/>
</fieldset>
<fieldset>
<label for='title'>Title:</label>
<input type='text' name='title' />
</fieldset>
<fieldset>
<label for='artist_id'>Artist:</label>
<select name='artist_id'>
".$options."
<option value='NULL'>Not listed</option>
</select>
</fieldset>
<fieldset>
<label for='genre'>Genre</label>
<input type='text' name='genre' />
</fieldset>
<fieldset>
<label for='year'>Year:</label>
<input type='text' name='year' size='5' placeholder='YYYY' />
</fieldset>
<fieldset>
<label for='price'>Price (&pound;):</label>
<input type='text' name='price' placeholder='00.00' />
</fieldset>
<button type='submit'>Submit</button>
</form>";
// append form HTML to content string
$content .= $form_html;
// ------- START form processing code... -------
// define variables and set to empty values
$title = $artist_id = $price = $year = $genre = "";
// check if there was a POST request
if ($_SERVER["REQUEST_METHOD"] == "POST") {
// validate the form data
$ean = $_POST["ean"];
$title = $_POST["title"];
$artist_id = $_POST["artist_id"];
$genre = $_POST["genre"];
$year = $_POST["year"];
$price = $_POST["price"];
// define the insertion query
$sql = sprintf("INSERT INTO record (ean, title, artist_id, genre, year, price)
VALUES (%d, %d, %d, %d, %d, %d)", $ean, $title, $artist_id, $genre, $year, $price);
// run the query to insert the data
$result = mysqli_query($link, $sql);
// check if the query went ok
if ($result === false) {
echo mysqli_error($link);
} else {
$content .= "Record successfully added to database.";
}
}
// ------- END form processing code... -------
// output the html
echo($content);
?>
......@@ -2,15 +2,15 @@
$content = "<h1>Add a record</h1>";
// define a variable with path to script which will handle submission
// define a variable with path to the script which will process form
// -> $_SERVER["PHP_SELF"] is a path to the current script (index.php)
// -> htmlspecialchars() is used to escape HTML characters (prevents XSS) */
// -> htmlspecialchars() is used to replace special characters with HTML entities */
$action = htmlspecialchars($_SERVER["PHP_SELF"]."?page=add-record");
// fetch the artists so that we have access to their names and IDs
$sql = "SELECT id, first_name, last_name
FROM artist
ORDER BY last_name";
ORDER BY last_name";
$result = mysqli_query($link, $sql);
......@@ -65,11 +65,12 @@ $content .= $form_html;
// ------- START form processing code... -------
// define a function to validate form data (this would ideally be in includes folder)
function test_input($data) {
// define a function to sanitise user input (this would ideally be in includes folder)
// helps protect against XSS
function clean_input($data) {
$data = trim($data); // strips unnecessary characters from beginning/end
$data = stripslashes($data); // remove backslashes
$data = htmlspecialchars($data); // escape special characters
$data = htmlspecialchars($data); // replace special characters with HTML entities
return $data;
}
......@@ -79,16 +80,16 @@ $title = $artist_id = $price = $year = $genre = "";
// check if there was a POST request
if ($_SERVER["REQUEST_METHOD"] == "POST") {
// validate the form data
$ean = test_input($_POST["ean"]);
$title = test_input($_POST["title"]);
$artist_id = test_input($_POST["artist_id"]);
$genre = test_input($_POST["genre"]);
$year = test_input($_POST["year"]);
$price = test_input($_POST["price"]);
$ean = mysqli_real_escape_string($link, clean_input($_POST["ean"]));
$title = mysqli_real_escape_string($link, clean_input($_POST["title"]);
$artist_id = mysqli_real_escape_string($link, clean_input($_POST["artist_id"]);
$genre = mysqli_real_escape_string($link, clean_input($_POST["genre"]);
$year = mysqli_real_escape_string($link, clean_input($_POST["year"]);
$price = mysqli_real_escape_string($link, clean_input($_POST["price"]);
// define the insertion query
$sql = "INSERT INTO record (ean, title, artist_id, genre, year, price)
VALUES ('".$ean."', '".$title."', ".$artist_id.", '".$genre."', ".$year.", ".$price.")";
$sql = sprintf("INSERT INTO record (ean, title, artist_id, genre, year, price)
VALUES (%d, %d, %d, %d, %d, %d)", $ean, $title, $artist_id, $genre, $year, $price);
// run the query to insert the data
$result = mysqli_query($link, $sql);
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment