We Keep Coding

MYSQL UPDATE injection without pipe [duplicate]

This question already has answers here:
How can I prevent SQL injection in PHP?
(27 answers)
Closed 2 years ago.
I have a query like this:
update T_table set detail = 'XXXX' where num = 155;
which on my php file looks like this:
$sql = "update T_table set ".$_GET['field']." = '".$_GET['value']."' where num = ".$_GET['num'];
$output = mysql_query($sql);
I would like to know if it is possible to inject SQL where the XXXX are in the query. Because they will be replaced by a sting from $_GET, and if it is possible how would you do?
Important: My MYSQL database is not allowing double pipes (||) as a concatenation operator.

you should use PDO's prepared statements
$query = $db->prepare("update T_table set detail = :detail where num = :num;");
$query->bindParam(":detail", $_GET['detail']);
$query->bindParam(":num", $_GET['num']);
$query->execute();
if you need multiple fields this gets a little more complicated as the user's input can't really be trusted with arbitrary fields:
$allowedFields = ["detail", "cost", "name"];
$field = $_GET['field'];
if(in_array($field, $allowedFields) {
$query = $db->prepare("update T_table set $field = :value where num = :num;");
$query->bindParam(":value", $_GET['value']);
$query->bindParam(":num", $_GET['num']);
$query->execute();
}

SQL Injection php [duplicate]

This question already has answers here:
How can I prevent SQL injection in PHP?
(27 answers)
Closed 9 months ago.
I'm practicing SQL injection.
http://localhost/injection/index.php?id=1%3BDELETE+FROM+users
with this injection, only the first code works.
with second code get this error:
Error: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'DELETE FROM users' at line 3
$pdo = new PDO('mysql:host=localhost;dbname=injection', 'root', '');
$id = $_GET['id'];
$statement = $pdo->query("SELECT * FROM users WHERE id = ".$id."");
$row = $statement->fetch(PDO::FETCH_ASSOC);
echo htmlentities($row['users']);
require_once("conn.php");
$id = $_GET['id'];
$query = "SELECT *
FROM users
WHERE id = ".$id."";
$result = mysqli_query($conn,$query) or die("Error: ".mysqli_error($conn));
$row = mysqli_fetch_array($result);
echo htmlentities($row['users']);

It seems that mysqli_query does not support multiple query. You should try to use mysqli_multi_query(), but from a security point of view, it is not a good idea.

Get id of last inserted prepared statement [duplicate]

This question already has answers here:
mysqli last insert id
(3 answers)
Closed 6 years ago.
How to get the id of the last inserted query using prepared statement ?
I wrote some PHP but I only get "0" as a result.
I tried to use the answer from this question : Similar question on SO
$locationName = $_GET['locationName'];
$locationResume = $_GET['locationResume'];
$sql = "INSERT INTO location (locationTitle, locationResume) VALUES (?,?);";
if ($locationName != null && $locationResume != null ) {
if ($stmt = $con->prepare($sql)) {
$stmt->bind_param("ss", $locationName, $locationResume);
$locationId = $con->insert_id;
#$locationId = $con->execute();
echo $locationId;
}
}
Thank you for your help.

You can get last_insert_id only after query execution.

How do I protect against injection for 2+ $_POST[variables] in mySQL query? [duplicate]

This question already has answers here:
How can I prevent SQL injection in PHP?
(27 answers)
Binding multiple values in pdo
(3 answers)
Closed 6 years ago.
I have prepared a series of queries which work. Now I am in the process of securing these queries against injection. I can do it fine when I have one variable in the query but have not been able to find how to do it for more with trial and error.
This is what I am doing (See $sql and $handle->execute()):
<?php
$sql = "SELECT FORMAT (z.PriceMultiplier * p.BasicTicketPrice,2)
AS totalPrice
FROM Zone z JOIN Production p
WHERE p.Title = :n AND z.Name = :n";
$handle = $conn->prepare($sql);
$zone = "$_POST[Zone]";
$prod = "$_POST[Production]";
$handle->execute(array(":n"=> $zone, $prod))
$conn = null;
$res = $handle->fetchAll();
foreach($res as $row) {
echo "<input name='Price' type='text' readonly='readonly' value=£".$row['totalPrice']."><br>";
}
?>
How do I assign the variables $zone and $prod to the statement in handle->execute()?
Thank you in advance.
[edit1: SOLUTION: Use ? instead of :n p.Title = ? AND z.Name = ? and just do $handle->execute(array($zone, $prod))]
[edit2: I do not believe this is a duplicate - the question is not how to prevent an injection attack... it is how to deal with multiple variables in doing so.]

PHP changing from mysql_real_escape_string to PDO in table name [duplicate]

This question already has answers here:
Can PHP PDO Statements accept the table or column name as parameter?
(8 answers)
Closed 9 years ago.
I currently use mysql_real_escape_string to escape variable in mysql query. I know how to use bindValue, but I have a question about protection when I'm trying to insert table name from variable. For example
$tablename = mysql_real_escape_string($name_from_form);
$get = mysql_query("SELECT * FROM ".$tablename." WHERE keyword='something'");
Can anybody help me with an example of how to do PDO prepared statements which will do the same as above?

You won't be able to escape the table name (I hope that $tablename isn't coming from an outside source - If it is, you will need to whitelist what table names are allowed). In PDO, your code could look something like:
$allowedTables = array('posts', 'users');
if(!in_array($tablename, $allowedTables)){
throw new Exception('Invalid table name: ' . $tablename);
}
$keyword = 'something';
$stmt = $dbh->prepare("SELECT * FROM " . $tablename . " WHERE keyword = :keyword");
$stmt->bindParam(':keyword', $keyword);
$stmt->execute();