phppdosanitizationfilter-var

PHP code inserting empty values in SQL table after adding filter_var

After adding filter_var and then sanitizing the input, my php code now inserts empty values in SQL table. My code worked fine before hand, but now doesn't work. How come? I'm trying to sanitize input so no one can hack my data. 

<?php
$servername = "localhost";
$username = "****";
$password = "*********";
$dbname = "app";

try {
    $conn = new PDO("mysql:host=$servername;dbname=$dbname", $username, $password);
// set the PDO error mode to exception
    $conn->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);

// prepare sql and bind parameters
    $stmt = $conn->prepare("INSERT INTO MyGuests (firstname, lastname, email) VALUES (:firstname, :lastname, :email)");
    $stmt->bindParam(':firstname', $firstname);
    $stmt->bindParam(':lastname', $lastname);
    $stmt->bindParam(':email', $email);

// insert a row

    $firstname = filter_var($firstname, FILTER_SANITIZE_STRING, $_POST["firstname"]);
    $lastname = filter_var($lastname, FILTER_SANITIZE_STRING, $_POST["lastname"]);
    $email = filter_var($email, FILTER_SANITIZE_EMAIL, $_POST["email"]);
    $stmt->execute();


    echo "New records created successfully";
}
catch(PDOException $e)
{
    echo "Error: " . $e->getMessage();
}
$conn = null;
?>
Solution

  • Looks like you aren't passing the right variables into filter_var and not checking if the data is valid.

    // prepare sql and bind parameters
$stmt = $conn->prepare("INSERT INTO MyGuests (firstname, lastname, email) VALUES (:firstname, :lastname, :email)");

// Validate input *BEFORE* binding to statement
$firstname = filter_var($_POST["firstname"], FILTER_SANITIZE_STRING);
$lastname = filter_var($_POST["lastname"], FILTER_SANITIZE_STRING);
$email = filter_var($_POST["email"], FILTER_SANITIZE_EMAIL);

if ($firstname && $lastname && $email) {
    $stmt->bindParam(':firstname', $firstname);
    $stmt->bindParam(':lastname', $lastname);
    $stmt->bindParam(':email', $email);

    // insert a row
    $stmt->execute();

    echo "New records created successfully";
} else {
    echo "Failed Data Check: First Name (" . $firstname . ") - Last Name (" . $lastname . ") - EMail (" . $email . ")" ;
}

    You'll probably want to adjust the last debug line.