This question already has answers here:
How can I prevent SQL injection in PHP?
(27 answers)
Closed 5 years ago.
I just want to check how safe (if at all) my PHP-MYSQL queries are, I'm using user data which is coming through $_POST and then validating - the validation process of all data includes using mysqli_real_escape_string() on the string and trim(). The nature of some of my inputs however means that I don't restrict any characters on user input. Is what I'm doing safe and if not how could it be improved.
An example of an insert query (where $name and $description are $_POST data values which have been through a validation function.)
$sql = "INSERT INTO company(company_name, company_description) VALUES('".$name."', '".$description."')";
$result = mysqli_query($con, $sql);
An example of a select query (where $companyid is user input, real_escaped and stripped)
$sql = "SELECT * FROM events WHERE event_company=".$companyid."";
$result = mysqli_query($con, $sql);
Thanks in advance.
Here are your queries updated to use mysqli prepared statements.
$sql = "INSERT INTO `company` (`company_name`, `company_description`) VALUES(?, ?)";
$stmt = $con->prepare($sql);
$stmt->bind_param('ss',$name,$description); // ss is for string string
$stmt->execute();
$result = $stmt->get_result();
and
$sql = "SELECT * FROM `events` WHERE `event_company` = ?";
$stmt = $con->prepare($sql);
$stmt->bind_param('i',$companyid); // i indicates integer
$stmt->execute();
$result = $stmt->get_result();
There a type of hack called "SQL INJECTION" which can deceive your control. Read there for more information https://www.veracode.com/security/sql-injection
Related
This question already has answers here:
Single result from database using mysqli
(6 answers)
Closed 5 months ago.
I am trying to get a value from column "odznak" in "users" tab for user "user01" and store it in variable $odznak (for searching in another tab.
$stmt = $conn->prepare("SELECT odznak FROM users WHERE username = 'user01'");
$stmt->execute();
$result = $stmt;
$odznak;
You need to fetch the data (say into an associative array)
On the other hand, as a good practice, please use parameterized prepared statement in your select query
So, change to:
$stmt = $conn->prepare("SELECT odznak FROM users WHERE username = ?");
$stmt->bind_param("s", 'user01');
$stmt->execute();
$result = $stmt->get_result();
$row = $result->fetch_assoc();
$odznak=$row["odznak"];
Now, $odznak is the retrieved data
This question already has answers here:
How can I prevent SQL injection in PHP?
(27 answers)
Closed 2 years ago.
I have a query like this:
update T_table set detail = 'XXXX' where num = 155;
which on my php file looks like this:
$sql = "update T_table set ".$_GET['field']." = '".$_GET['value']."' where num = ".$_GET['num'];
$output = mysql_query($sql);
I would like to know if it is possible to inject SQL where the XXXX are in the query. Because they will be replaced by a sting from $_GET, and if it is possible how would you do?
Important: My MYSQL database is not allowing double pipes (||) as a concatenation operator.
you should use PDO's prepared statements
$query = $db->prepare("update T_table set detail = :detail where num = :num;");
$query->bindParam(":detail", $_GET['detail']);
$query->bindParam(":num", $_GET['num']);
$query->execute();
if you need multiple fields this gets a little more complicated as the user's input can't really be trusted with arbitrary fields:
$allowedFields = ["detail", "cost", "name"];
$field = $_GET['field'];
if(in_array($field, $allowedFields) {
$query = $db->prepare("update T_table set $field = :value where num = :num;");
$query->bindParam(":value", $_GET['value']);
$query->bindParam(":num", $_GET['num']);
$query->execute();
}
This question already has answers here:
How can I prevent SQL injection in PHP?
(27 answers)
Closed 11 months ago.
I want to see if my practice is good enough to protect from sql injection.
$mysqli = new mysqli($host,$username,$password,$database);
$query = $mysqli->prepare('SELECT * FROM users WHERE id = ? AND check = ?');
$query->bind_param('ii', $_GET['id'], $_POST['check']);
$query->execute();
$result = $mysqli->query($query);
while ($row = $result->fetch_assoc()) {
...
}
I've seen that in some examples have this line before the while:
$result = $query->get_result();
And others that use trim(), intval() etc in $_GET/$_POST for safety.
Which is the best practice and safest way to avoid sql injections?
The best MySQLi prepared statement practice is apparently a PDO prepared statement
the code you posted above just makes no sense. To make it work, indeed you have to use get_result() function, which - alas! - is not guaranteed to be available:
$query = $mysqli->prepare('SELECT * FROM users WHERE id = ? AND check = ?');
$query->bind_param('ii', $_GET['id'], $_POST['check']);
$query->execute();
$result = $query->get_result();
while ($row = $result->fetch_assoc()) {
...
}
while with PDO you need two times less code which is always guaranteed to work
$query = $pdo->prepare('SELECT * FROM users WHERE id = ? AND check = ?');
$query->execute([$_GET['id'], $_POST['check']]);
while ($row = $query->fetch()) {
...
}
not to mention other PDO's wonderful features
And others that use trim(), intval() etc
these things are just irrelevant it SQL, you may use them for whatever else reason.
My code is like this:
$sql = "INSERT INTO oraculo VALUES(".$name.$pass.")";
pg_query($dbconn, $sql);
In java i use PreparedStament to insert values without concatenate strings (to avoid sql injection if im right). Is possible to do something like this in PHP? Im want to do something like this:
$sql = "INSERT INTO oraculo VALUES(?, ?)";
//set the value of first '?'
setValue(1, "somename");
//set the value of second '?'
setValue(2, "somepass");
pg_query($dbconn, $sql);
You can use pg_prepare to execute prepared statements to postgres in PHP.
So your code would look like:
pg_prepare($dbconn, "login", 'SELECT * FROM shops WHERE name = $1');
$rs = pg_execute($dbconn, "login", array("somename", "somepass"));
This question already has answers here:
MySQLi equivalent of mysql_result()?
(12 answers)
Closed 9 years ago.
I am trying to return the user's id number from the database but I can't figure out how to return the result of the query. I used to use mysql_result() so what would I need to do now that I'm using mysqli?
function user_id_from_username($username){
$query = mysqli_query($conn, "SELECT `user_id` FROM `users` WHERE `username` = '$username'");
return (what?);
}
You haven't reaped one of the main benefits of moving from mysql to mysqli, which is using prepared statements to parameterize your queries and protect yourself from injection.
$query = mysqli_prepare($conn, "SELECT user_id FROM `users` WHERE username = ?");
mysqli_stmt_bind_param($query, "s", $username);
mysqli_stmt_execute($query);
mysqli_stmt_bind_result($query, $userid);
mysqli_stmt_fetch($query);
//$userid is now user_id
check this http://php.net/manual/en/mysqli.query.php for myqli_query usage. and this http://www.php.net/manual/en/class.mysqli-result.php on how to get the values from the result.