This question already has an answer here:
I am creating an app that needs to connect to a MySQL database and do various things. I have created PhP scripts to do all the server-side stuff for me, like connecting to the database and doing CRUD operations. The PhP script will then echo out the results, which is stored in a String in my code for further handling.
However, i am concerned with security. My PhP scripts are open for everyone to use. For instance: "http://mySite.php?value1=test&value2=test" could be such a script, and what it could do was insert the values in the GET part of the URL into my database.
I know for a fact this isn't safe, but i don't know what to do? The thing is, the PhP script are not linked to/from any where, they are just used in my code only. What i mean by that, is that it is PhP code created to work specifically with my application, so i only ever run them by sending an HTTP request from within the app itself, and i never just run into my browser and type in the address (however, someone else could), which is why i don't think it is very safe.
Any ideas / good suggestions in order to make my scripts safe?
EDIT Here is an example of my code, which i would like to make safe:
$orderGrill = $_GET["getOrder"];
$query = "INSERT INTO grillOrders (`order`, `orderNumber`) VALUES ('{$orderGrill}', {$orderNumber})";
There you can see, how i am just directly using the GET values. But how should i make them safe? I can't use forms since i am running this script from an iPhone app "behind the scenes", so the user can't see the forms.
Thank you
</div>
I really suggest you this one on the php.net manual, it's quite valuable. Prepared statements and filtering.
Use Mysqli or PDO with prepared statements to protect the database. Use htmlentities to protect against xss attacks. Check the manual for more info.