This is my first time creating a PHP form that will run a MySQL query using INSERT INTO to store data in a production DB. Will this pass for “secure” or is it over-kill?
$orderText = $mysqli->real_escape_string(stripslashes(htmlentities((!isset($_POST["order_text"])?"undefined":$_POST["order_text"]))));
$stmt = $mysqli->prepare("INSERT INTO testtable (order_text) VALUES (?)");
$stmt->bind_param('s',$orderText);
$stmt->execute();
I’m not sure how the lack of a SELECT * affects the amount of risk I’m opening myself up to, but it seems like a script that only uses INSERT is safer. True?
There is a great amount of false assumptions in your question.
It is certainly an overkill.
Let’s examine your extremely-hard-to-read zillion-nested-operator statement:
You are taking the problem from the wrong end.
Your primary goal is to format your query properly. Not to defend from imaginary “attackers” but to privent malfunction with most honest data. While properly formatted query will be invulnerable to various attacks just as a side effect.
Say, real_escape_string has nothing to do with security. It is used merely to format strings. There are no strings (data enclosed in quotes) in your query – thus this function is utterly useless (and even harmful).
In fact, an injection via INSERT is no less disastrous than via SELECT.
Finally, the right code would be
and when printing the order text back to the site, use
htmlspecialchars()that’s all.