Home/ Questions/Q 608053
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-13T17:25:23+00:00

Sorry for not formatting my code. the toolbar was gone… I want to insert

  • 0

Sorry for not formatting my code. the toolbar was gone…

I want to insert some data into a mysql db. I’ve wrote a function in php:

function add_ID($ID, $token)  {
 $add = "INSERT INTO ids (ID, token) VALUES ('$ID', '$token')";
 mysql_query($add);
 echo 'added successfully';
}  
if(isset($_GET['addDeviceID'])) {
 add_ID($_GET['ID'], $_GET['token']);
}

In the URL-Field of my Browswe I’am calling the function like that:
http://www.justanexample.com/example.php?ID=123123123&token=qwertzuiop

That works.

If I put a space into either one of the parameters for example like that:
http://www.justanexample.com/example.php?ID=123123 123&token=qwertzuiop

Nothing was added to my mysql db.

Would be great to get some help 🙂
Thank you!

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    Your function is vulnerable to SQL injection. You should validate all user-received parameters before using them in an SQL query, and pass any strings through mysql_real_escape_string, because then I could just pass in something like example.php?token='; DROP DATABASE; and royally screw up your application.

    In your case, you should make a check that the received parameters are in the form that you expect first, return an error to the user if they don’t, and only then pass them into the SQL query.

    function add_ID($ID, $token)  {
  $id = mysql_real_escape_string($id);
  $token = mysql_real_escape_string($token);

  $add = "INSERT INTO ids (ID, token) VALUES ('$ID', '$token')";
  mysql_query($add);
  echo 'added successfully';
}  

if(isset($_GET['addDeviceID'])) {
  $id    = isset($_GET['id']) ? $_GET['id'] : 0; // in case no ID has been passed in
  $token = isset($_GET['token']) ? $_GET['token'] : '';

  if (!is_numeric($id) {
    die('ID is not a number');
  } 

  // validate token here as well

  add_ID($id, $token);
}

    You should also look into parametrized queries, which are an overall much better way of doing SQL queries with parameters than just using string concatenation. For that, look into using the mysqli extension instead of mysql, or at a higher level, PDO.

    • 0