registrarse.html

<form action="registrarse.php" method="post">
    <label for="dni">Dni:</label>
    <input type="text" id="dni" name="dni" required size="10" placeholder="Dni" pattern="[0-9]{8}-[A-Z]{1}"/>
    <p>Els dni ha d'estar de tenir 8 numeros de llarg i una lletra exemple 43564748-B</p>
    <button type="submit">Registrarse</button>
</form>

$_POST['dni'];
43564748-B
registrarse.php"

mysqli_report(MYSQLI_REPORT_ERROR | MYSQLI_REPORT_STRICT);
$link = mysqli_connect("localhost", "root", "P-11fl32fg14", "registrarse");

$query = ?>"INSERT INTO registrarse (dni) VALUES ("<?php $_POST["dni"]?>")";<?php
mysqli_query($link, $query);

mysqli_close($link);

Parse error: syntax error, unexpected variable "$_POST" in /var/www/html/cacau/registrarse/registrarse.php on line 42

CREATE TABLE registrarse (
dni CHAR(10),
PRIMARY KEY (dni)
);

bertrc ```
$query = ?>"INSERT INTO registrarse (dni) VALUES ("<?php $_POST["dni"]?>")";<?php

So why are you just outputting the insert statement straight to the user?
https://www.php.net/language.basic-syntax.phpmode

$query = "INSERT INTO regsitrarse (dni) VALUES ("{$_POST['incredibly-dangerous-SQL-injection-vulnerability']}")";

(inb4: hurhur, he said "arse"...)

      "INSERT INTO registrarse (dni) VALUES ("{$_POST['dni']}")";
      Parse error: syntax error, unexpected double-quoted string ")" in /var/www/html/cacau/registrarse/registrarse.php on line 50

      if validate is possible enter this kind of number 43632805-B only

        if I doing validation with html and after with php the same validation I'm not going to have slqinjection
        html5 pattern="[0-9]{8}-[A-Z]{1}
        preg_match
        preg_match_all
        preg_replace

        $query = "INSERT INTO registrarse (dni) VALUES ('$_POST[dni]')";

        INSERT INTO registrarse (dni) VALUES (''43632805-T')

        bertrc I'm not going to have slqinjection

        As long as you never have any bugs in your code. So, if you feel 100% sure you never write invalid code, nor will anyone else ever inadvertently add a bug while maintaining that code, then sure: go ahead and risk it. 🤷

            Using prepared queries provides protection against sql special characters in a value from breaking the sql query syntax, which is how sql injection is accomplish, for all data types, not just strings. This also simplifies the sql query syntax and variations of the syntax, since you are no longer trying to put php variables into the string. This eliminates all the extra quotes, {}s, and concatenation dots, which helps prevent php and sql syntax errors.

            If you use prepared queries, you only need to validate that data meets the needs of your application. You don't need to insure that the validation also provides protection for all data types - strings, numbers, date/time, boolean, null, ... simplifying the validation logic.

              bertrc if I doing validation with html and after with php the same validation I'm not going to have slqinjection

              Validating user input with a regex is certainly an appropriate approach but, as I pointed out in the other thread, your regex isn't doing what you think it is, and your script does appear to me to be vulnerable to SQL injection. It is good practice to get in the habit of using prepared statements.

                  Write a Reply...