This question already has answers here:
How does the SQL injection from the "Bobby Tables" XKCD comic work?
(13 answers)
Closed 8 years ago.
Hi i know parameterized statements and escaping data is good practice for preventing SQL injection. But i was curious to see it in action so i set up a database to see . The problem is i keep getting a error or its not injecting correctly.
$ans = $_POST['answer'];
$query = "SELECT username from `members` where password = '$ans'";
$c = $db ->query($query);
$c=$c->fetch(PDO::FETCH_ASSOC);
echo $c['username'];
I tried the typical 'Or 1=1' injections and its variations and i keep coming up with errors on the fetch or it not working at all.
$sql="SELECT username from `members` where password = :mypassword";
// Create prepared statement
$stm = $db->prepare($sql);
$stm->bindParam(':mypassword', $ans, PDO::PARAM_STR);
$stm->execute();
echo $stm->fetchColumn();
Related
This question already has answers here:
How can I prevent SQL injection in PHP?
(27 answers)
Closed 9 months ago.
I'm practicing SQL injection.
http://localhost/injection/index.php?id=1%3BDELETE+FROM+users
with this injection, only the first code works.
with second code get this error:
Error: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'DELETE FROM users' at line 3
$pdo = new PDO('mysql:host=localhost;dbname=injection', 'root', '');
$id = $_GET['id'];
$statement = $pdo->query("SELECT * FROM users WHERE id = ".$id."");
$row = $statement->fetch(PDO::FETCH_ASSOC);
echo htmlentities($row['users']);
require_once("conn.php");
$id = $_GET['id'];
$query = "SELECT *
FROM users
WHERE id = ".$id."";
$result = mysqli_query($conn,$query) or die("Error: ".mysqli_error($conn));
$row = mysqli_fetch_array($result);
echo htmlentities($row['users']);
It seems that mysqli_query does not support multiple query. You should try to use mysqli_multi_query(), but from a security point of view, it is not a good idea.
This question already has answers here:
How can I prevent SQL injection in PHP?
(27 answers)
Closed 5 years ago.
I just want to check how safe (if at all) my PHP-MYSQL queries are, I'm using user data which is coming through $_POST and then validating - the validation process of all data includes using mysqli_real_escape_string() on the string and trim(). The nature of some of my inputs however means that I don't restrict any characters on user input. Is what I'm doing safe and if not how could it be improved.
An example of an insert query (where $name and $description are $_POST data values which have been through a validation function.)
$sql = "INSERT INTO company(company_name, company_description) VALUES('".$name."', '".$description."')";
$result = mysqli_query($con, $sql);
An example of a select query (where $companyid is user input, real_escaped and stripped)
$sql = "SELECT * FROM events WHERE event_company=".$companyid."";
$result = mysqli_query($con, $sql);
Thanks in advance.
Here are your queries updated to use mysqli prepared statements.
$sql = "INSERT INTO `company` (`company_name`, `company_description`) VALUES(?, ?)";
$stmt = $con->prepare($sql);
$stmt->bind_param('ss',$name,$description); // ss is for string string
$stmt->execute();
$result = $stmt->get_result();
and
$sql = "SELECT * FROM `events` WHERE `event_company` = ?";
$stmt = $con->prepare($sql);
$stmt->bind_param('i',$companyid); // i indicates integer
$stmt->execute();
$result = $stmt->get_result();
There a type of hack called "SQL INJECTION" which can deceive your control. Read there for more information https://www.veracode.com/security/sql-injection
This question already has answers here:
How can I prevent SQL injection in PHP?
(27 answers)
Closed 11 months ago.
I want to see if my practice is good enough to protect from sql injection.
$mysqli = new mysqli($host,$username,$password,$database);
$query = $mysqli->prepare('SELECT * FROM users WHERE id = ? AND check = ?');
$query->bind_param('ii', $_GET['id'], $_POST['check']);
$query->execute();
$result = $mysqli->query($query);
while ($row = $result->fetch_assoc()) {
...
}
I've seen that in some examples have this line before the while:
$result = $query->get_result();
And others that use trim(), intval() etc in $_GET/$_POST for safety.
Which is the best practice and safest way to avoid sql injections?
The best MySQLi prepared statement practice is apparently a PDO prepared statement
the code you posted above just makes no sense. To make it work, indeed you have to use get_result() function, which - alas! - is not guaranteed to be available:
$query = $mysqli->prepare('SELECT * FROM users WHERE id = ? AND check = ?');
$query->bind_param('ii', $_GET['id'], $_POST['check']);
$query->execute();
$result = $query->get_result();
while ($row = $result->fetch_assoc()) {
...
}
while with PDO you need two times less code which is always guaranteed to work
$query = $pdo->prepare('SELECT * FROM users WHERE id = ? AND check = ?');
$query->execute([$_GET['id'], $_POST['check']]);
while ($row = $query->fetch()) {
...
}
not to mention other PDO's wonderful features
And others that use trim(), intval() etc
these things are just irrelevant it SQL, you may use them for whatever else reason.
This question already has answers here:
How can I prevent SQL injection in PHP?
(27 answers)
Closed 9 years ago.
1. how to work php sql injection and use in site ?
my site login process easily login any person with out username & password.plz describe how to safe login process.
example :
$logindetail = "select * from tablename where username = '".$_REQUEST['username']."' and password = '".$_REQUEST['password']."' ";
$sqlrun = mysql_query($logindetail);
$recordcount = mysql_num_rows($sqlrun);
in this login process how would sql injection be used?
It's not clear whether you're asking for someone to explain how to prevent SQL injection, or how someone might use SQL injection to get into your site.
To prevent SQL injection, use parameterised queries. This has already been well explained in this question: How can I prevent SQL injection in PHP?
If someone realised your site was vulnerable to SQL injection, they could log on to your site as any known username, by entering this into the username box
admin' OR 1=1 --
This makes the SQL that is executed on the database server:
"select * from tablename where username = 'admin' OR 1=1 -- and password = '' "
The OR 1=1 will evaluate to true and the -- comments out the rest of the SQL string and prevent the password check.
I'm not going to get into password hashing, as I assume this is a small example.
use mysqli or PDO preprared statements to execute a query. mysql is deprecated.Something like this:-
<?php
$con = new mysqli('host','user','pass','db');
if(!$con)
die();
$stmt = $con->prepare("select * from tablename where username = ? and password =?");
$stmt->bind_param('ss',$_REQUEST['username'],$_REQUEST['password']);
$stmt->execute();
$stmt->close();
This can be a more safer way to stop SQL injection. Learn more from Here
Change first line to:
$logindetail = "select * from tablename where username = '".mysql_real_escape_string($_REQUEST['username'])."' and password = '".mysql_real_escape_string($_REQUEST['password'])."' ";
Use prepared statements and parameterized queries.
Can achieve this by using msqli
http://php.net/manual/en/book.mysqli.php
quick tutorial. http://www.phphaven.com/article.php?id=65
example code
<?php
// CONNECT TO THE DATABASE
$DB_NAME = 'DATABASE_NAME';
$DB_HOST = 'DATABASE_HOST';
$DB_USER = 'DATABASE_USER';
$DB_PASS = 'DATABASE_PASSWORD';
$mysqli = new mysqli($DB_HOST, $DB_USER, $DB_PASS, $DB_NAME);
if (mysqli_connect_errno()) {
printf("Connect failed: %s\n", mysqli_connect_error());
exit();
}
// A QUICK QUERY ON A FAKE USER TABLE
$query = "SELECT * FROM `users` WHERE `status`='bonkers'";
$result = $mysqli->query($query) or die($mysqli->error.__LINE__);
// GOING THROUGH THE DATA
if($result->num_rows > 0) {
while($row = $result->fetch_assoc()) {
echo stripslashes($row['username']);
}
}
else {
echo 'NO RESULTS';
}
// CLOSE CONNECTION
mysqli_close($mysqli);
?>
This question already has answers here:
How can I prevent SQL injection in PHP?
(27 answers)
Closed 9 years ago.
Have a minor issue when updating records in MySQL using PDO. It fails to update when I use grammar so for an example, if I use: ' it fails me. I am using my prepare, but it's just the apostrophe that fails to work?
if($_POST['ourstory']) {
foreach($_POST['ourstory'] as $id => $ourstory) {
$sql = "UPDATE our_story SET content = '$ourstory' WHERE id = '$id'";
$q = $db->prepare($sql);
$q->execute(array($id,$ourstory));
}
}
That's not how you use prepared statements. You want to use a ? in your query.
$sql = "UPDATE our_story SET content = ? WHERE id = ?";
$q = $db->prepare($sql);
$q->execute(array($ourstory, $id));