This question already has answers here:
How can I prevent SQL injection in PHP?
(27 answers)
Closed 9 months ago.
I'm practicing SQL injection.
http://localhost/injection/index.php?id=1%3BDELETE+FROM+users
with this injection, only the first code works.
with second code get this error:
Error: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'DELETE FROM users' at line 3
$pdo = new PDO('mysql:host=localhost;dbname=injection', 'root', '');
$id = $_GET['id'];
$statement = $pdo->query("SELECT * FROM users WHERE id = ".$id."");
$row = $statement->fetch(PDO::FETCH_ASSOC);
echo htmlentities($row['users']);
require_once("conn.php");
$id = $_GET['id'];
$query = "SELECT *
FROM users
WHERE id = ".$id."";
$result = mysqli_query($conn,$query) or die("Error: ".mysqli_error($conn));
$row = mysqli_fetch_array($result);
echo htmlentities($row['users']);
It seems that mysqli_query does not support multiple query. You should try to use mysqli_multi_query(), but from a security point of view, it is not a good idea.
Related
This question already has answers here:
How to include a PHP variable inside a MySQL statement
(5 answers)
Closed 2 years ago.
So I'm building a website and i need to access a table which holds the information about products
I'm using to navigate to the page
<a href="productDetails.php?table=FeaturedProducts&id=1" >
then in products details page I'm using this to run the php query
<?php
require "connection.php";
$table = $_GET["table"];
$id = $_GET["id"];
$sql = "select * from '.$table.' where ID = '.$id.'";
$result = mysqli_query($conn, $sql);
$row = mysqli_fetch_array($result);
$pname= $row['Product_name'];
?>
this doesn't seem to work please tell me how i can do this.
You made mistake in your concatenation of string. Take a look to your code here :
$sql = "select * from '.$table.' where ID = '.$id.'";
You try to concatanate the $table and $id variable. (we agree it's a SQL Injection problem).
But PHP will interpret the string result like this : select * from '.FeaturedProducts.' where ID = '.1.'
So you have the ' are not necessary in your code for the table name, and it's add point to your values. Because MySQL does to give you error message.
So your correct code will be (and make modification for use prepare statement to avoid SQL Injection) :
$sql = "select * from $table where ID = '$id'";
This question already has answers here:
How can I prevent SQL injection in PHP?
(27 answers)
Closed 5 years ago.
I just want to check how safe (if at all) my PHP-MYSQL queries are, I'm using user data which is coming through $_POST and then validating - the validation process of all data includes using mysqli_real_escape_string() on the string and trim(). The nature of some of my inputs however means that I don't restrict any characters on user input. Is what I'm doing safe and if not how could it be improved.
An example of an insert query (where $name and $description are $_POST data values which have been through a validation function.)
$sql = "INSERT INTO company(company_name, company_description) VALUES('".$name."', '".$description."')";
$result = mysqli_query($con, $sql);
An example of a select query (where $companyid is user input, real_escaped and stripped)
$sql = "SELECT * FROM events WHERE event_company=".$companyid."";
$result = mysqli_query($con, $sql);
Thanks in advance.
Here are your queries updated to use mysqli prepared statements.
$sql = "INSERT INTO `company` (`company_name`, `company_description`) VALUES(?, ?)";
$stmt = $con->prepare($sql);
$stmt->bind_param('ss',$name,$description); // ss is for string string
$stmt->execute();
$result = $stmt->get_result();
and
$sql = "SELECT * FROM `events` WHERE `event_company` = ?";
$stmt = $con->prepare($sql);
$stmt->bind_param('i',$companyid); // i indicates integer
$stmt->execute();
$result = $stmt->get_result();
There a type of hack called "SQL INJECTION" which can deceive your control. Read there for more information https://www.veracode.com/security/sql-injection
This question already has answers here:
How can I prevent SQL injection in PHP?
(27 answers)
Closed 6 years ago.
i'm using a php script in my Android project to delete a lign from the database . here is the php file content :
<?php
$pseudo = $_POST['pseudo'];
define('HOST','localhost');
define('USER','root');
define('PASS','');
define('DB','ract');
$con = mysqli_connect(HOST,USER,PASS,DB);
$sql = "DELETE from utilisateur where pseudo=$pseudo";
$res = mysqli_query($con,$sql);
?>
I think that the main problem in comparing pseudo to $pseudo
For god sake, protect your query against SQL injection :
$sql = "DELETE from utilisateur where pseudo = '".mysqli_real_escape_string($con, $pseudo)."'";
$sql = "DELETE from utilisateur where pseudo = '$pseudo'";
This question already has answers here:
How does the SQL injection from the "Bobby Tables" XKCD comic work?
(13 answers)
Closed 8 years ago.
Hi i know parameterized statements and escaping data is good practice for preventing SQL injection. But i was curious to see it in action so i set up a database to see . The problem is i keep getting a error or its not injecting correctly.
$ans = $_POST['answer'];
$query = "SELECT username from `members` where password = '$ans'";
$c = $db ->query($query);
$c=$c->fetch(PDO::FETCH_ASSOC);
echo $c['username'];
I tried the typical 'Or 1=1' injections and its variations and i keep coming up with errors on the fetch or it not working at all.
$sql="SELECT username from `members` where password = :mypassword";
// Create prepared statement
$stm = $db->prepare($sql);
$stm->bindParam(':mypassword', $ans, PDO::PARAM_STR);
$stm->execute();
echo $stm->fetchColumn();
This question already has answers here:
How can I prevent SQL injection in PHP?
(27 answers)
Closed 9 years ago.
Have a minor issue when updating records in MySQL using PDO. It fails to update when I use grammar so for an example, if I use: ' it fails me. I am using my prepare, but it's just the apostrophe that fails to work?
if($_POST['ourstory']) {
foreach($_POST['ourstory'] as $id => $ourstory) {
$sql = "UPDATE our_story SET content = '$ourstory' WHERE id = '$id'";
$q = $db->prepare($sql);
$q->execute(array($id,$ourstory));
}
}
That's not how you use prepared statements. You want to use a ? in your query.
$sql = "UPDATE our_story SET content = ? WHERE id = ?";
$q = $db->prepare($sql);
$q->execute(array($ourstory, $id));