This code is vulnerable to SQL injection. How can I improve it to prevent injections ? And How can I test this code with injections ? This is my code: if (isset ($_POST['name'])) { $name = $_POST['name']; }
if (isset ($_POST['name'])) {
$name = $_POST['name'];
}
if (isset ($_POST['remarcs'])) {
$remarcs = $_POST['remarcs'];
}
if (isset ($_POST['test_res'])) {
$test_res = $_POST['test_res'];
}
if (isset ($_POST['address'])) {
$address = $_POST['address'];
}
if (isset ($_POST['date'])) {
$date = $_POST['date'];
}
if (isset ($_POST['phone_num'])) {
$phone = $_POST['phone_num'];
}
if (isset ($_POST['illness'])) {
$illness = $_POST['illness'];
}
if (isset ($_POST['echo'])) {
$echo = $_POST['echo'];
}
if (isset ($_POST['pe'])) {
$pe = $_POST['pe'];
}
if (isset ($_POST['pmhx'])) {
$pmhx = $_POST['pmhx'];
}
if (isset ($_POST['pshx'])) {
$pshx = $_POST['pshx'];
}
if (isset ($_POST['habbits'])) {
$habbits = $_POST['habbits'];
}
if (isset ($_POST['occup'])) {
$occup = $_POST['occup'];
}
if (isset ($_POST['allergy'])) {
$allergy = $_POST['allergy'];
}
//Check file is uploaded or not
//if (isset($_FILES['file']['name']) && $_FILES['file']['name']!='' && $_FILES['file']['error']=='') {
//$path2 = ... ;
//move_uploaded_file(...);
if(is_uploaded_file($_FILES["file"]["tmp_name"]))
{
$path = "../uploads/".$_FILES['file']['name'];
move_uploaded_file($_FILES["file"]["tmp_name"], $path);
$new_path = "./uploads/".$path;
}
else{
$new_path = $_POST['org_path'];
//$path2 = "../uploads/".$_FILES['echo_photo']['name'];
}
//move_uploaded_file($_FILES["file"]["tmp_name"], $path);
//$new_path = $path;
$sql="UPDATE $tbl_name SET
name = '$name',
echo_files = '$new_path',
remarcs = '$remarcs',
test_res = '$test_res',
date = '$date',
address = '$address',
phone_num = '$phone',
illness = '$illness',
echo = '$echo',
pmhx = '$pmhx',
pshx = '$pshx',
habbits = '$habbits',
occup = '$occup',
allergy = '$allergy',
pe = '$pe'
WHERE id = ".$id;
$result=mysqli_query($con,$sql) or die('Unable to execute query. '. mysqli_error($con));
