How to write the complete HTML of a form in MySQL?

-1

I'm trying to write the full HTML of a form. Since I have a system in which each user can have their individual form of payment, which requires that each record the purchase button code for example, from PagSeguro.

What generates this error when I try to write to MYSQL through an administrative form that I have developed to record these payment codes:

You have an error in your SQL syntax; check the manual that corresponds  
to your MySQL server version for the right syntax to use near 'post' 
action='https://www.meu.url/PagamentoSimples.do'> 

I've tried using several codes like:

$clientepagseguro = strip_tags($_POST['clientepagseguro']);

Nothing worked out.

HTML:

<form method='post' action='https://www.meu.url/PagamentoSimples.do'>
    <input type='hidden' name='id_carteira' value='[email protected]'/>
    <input type='hidden' name='valor' value='4000'/>
    <input type='hidden' name='nome' value='Site Lucrativo'/>
    <input type='image' name='submit' src='https://static.moip.com.br/imgs/buttons/bt_pagar_c01_e04.png' alt='Pagar' border='0' />
</form>

What do I do to solve it?

    
asked by anonymous 18.04.2016 / 18:12

1 answer

0

The problem

You have to escape the data coming from the form, this in whatever data you go to the bank. If you are not doing this, in addition to the problem presented, your system is probably vulnerable to SQL Injection attacks.

What happens is that in the data sent by the user, if it is a HTML code, it will probably have simple quotation marks and these simple quotes, if not escaped, end up damaging the query.

INSERT INTO 'pagamento' ('btn_html') VALUES ('Código HTML');

When you add an HTML code, it would give you a problem, see below (this has simple quotes):

INSERT INTO 'pagamento' ('btn_html') VALUES ('<a href='#'>Meu botão</a>');

See in the example above that we have a conflict. The quotes refer to the query and MySQL will understand that 2 different values are being passed: <a href= and >Meu botão</a> .

This alone would already give you a problem because you just specified a column, in addition, it has the character # "loose" which would also give problem.

Solutions

This will depend on how you are connecting to the database, whether you are using MySQLi, or PDO.

In the case of MySQLi, you can solve it as well

$string = "Caixa d'água";
$stringPronta = mysql_real_escape_string($string, $conexao);

//$stringPronta irá ficar assim: Caixa d\'água

Notice that the quotation mark character was escaped with a backslash, just as we do to escape values in PHP. Remember that the $ connection variable refers to your previously created connection link.

Although this solves the problem, some people say that this method is not 100% secure against SQL Injections, so it's worth giving a search or opting to use PDO.

To resolve the problem with PDO, do

$inserirBtn = $conexao->prepare("INSERT INTO 'pagamento' ('btn_html') VALUES (:btn_html)");
$inserirBtn->bindValue(':btn_html', $string);
$inserirBtn->execute();

Note that in the case of the PDO, it is much simpler because it escapes the data "natively" before executing the query on the database server.

    
18.04.2016 / 19:02