Is this safe for SQL injections?

fumeeptc · June 15, 2017, 5:55am

Connection:

$conn = new mysqli($DBServer, $DBUser, $DBPass, $DBName, $DBPort);
if ($conn->connect_error) {
	echo "Database connection failed: " . $conn->connect_error, E_USER_ERROR;
}
mysqli_set_charset($conn,"utf8");

POST:

if($_SERVER["REQUEST_METHOD"] == "POST"){
		require('config.php');
		$myusername=htmlentities($_POST['userName'], ENT_QUOTES, "UTF-8");
		$mypassword=htmlentities($_POST['passWord'], ENT_QUOTES, "UTF-8");
		// DO DELETE . .. WHERE user='".$myusername."'
		// DO SELECT . .. WHERE user='".$myusername."'
		// DO INSERT
		// OR
		// DO UPDATE . .. WHERE user='".$myusername."'
		}

Can i use POST variables safe?

Andres_Vaquero · June 15, 2017, 5:58am

Hi @fumeeptc, not they are not, you should take care of them yourself. You should look into mysqli prepared statements. I suggest you even use the PDO extension instead as it makes it a bit easier to deal with prepared statements.
Cheers

fumeeptc · June 15, 2017, 7:27am

@Andres_Vaquero So here i have a big problem?Or how big is the problem?I m new in security things!

I m working in project and it would be a big job to change to PDO now

colshrapnel · June 15, 2017, 7:28am

Hi @fumeeptc
How do you think, does a function called htmlentities() have any relation to sql?

fumeeptc · June 15, 2017, 7:52am

I will say as is i do not know!

Andres_Vaquero · June 15, 2017, 8:14am

Mysqli also has prepared statements, just not as convenient to use as PDO ones. They add a security layer to your queries. Please do some research and you’ll learn how to use them

fumeeptc · June 15, 2017, 8:17am

@Andres_Vaquero Ok Thanks will do!All i wanted to know was if i can have a problem from some hacker side and get SQL injections !

Andres_Vaquero · June 15, 2017, 9:14am

You can indeed. Use prepared statements, validate and sanitize your input data.

SamA74 · June 15, 2017, 9:33am

Regarding your use of htmlentities(), was that same function applied to the strings when the data was inserted into the table? If not, it may create a mis-match. I would generally use it, or htmlspecialchars() rather, on outputting the data to an html page.
With the user name, if it’s not a “real name” you may restrict the character set available, then strip down any input to that set to ensure it is clean.
With the password, that needs to change. Don’t store raw passwords, it’s a security no no. The password should be hashed after creation, before insertion. The hashed string will be database safe and unreadable to anyone who happens to see it.
In the login, the password input should be checked against the hashed version in the database via password_verify()

fumeeptc · June 15, 2017, 9:44am

@SamA74 I see. … About passwords ,they already are hashed there are no problems. .Question was about SQL injection possibility with this code!

SamA74 · June 15, 2017, 9:55am

That’s good, but why escape it then?

As it stands, assuming the pseudo queries shown, it’s vulnerable. Handling the password like I said will take care of that part. With the user name, do as @Andres_Vaquero says:-

How you validate and sanitise depends of what you decide to accept as valid data for that field. do you allow any string, or a restricted set of characters?

fumeeptc · June 15, 2017, 9:59am

wow . … Ok i needed to show that i hash password
So here could be a trouble. …

username is actually and email address !

Thanks for replays

SamA74 · June 15, 2017, 10:07am

OK, we have filters to validate and sanitise that.
http://php.net/manual/en/filter.examples.validation.php
http://php.net/manual/en/filter.examples.sanitization.php
http://php.net/manual/en/filter.filters.php

fumeeptc · June 15, 2017, 10:08am

Thanks Allot for all the infos!To everyone!

SamA74 · June 15, 2017, 10:23am

Typically you may use a query like this (prepared statement, where :username is bound to a valid email address)

"SELECT password FROM users WHERE user = :username"

Then validate the input against the result:-

if (password_verify($inputPassword, $dbPassword)) {
    // you are in!
}
else{
    // you are not in!
}

fumeeptc · June 15, 2017, 10:25am

Cool

colshrapnel · June 15, 2017, 10:29am

I’ve got a full example but again, for PDO only.
Though I hope that the OP will change their mind and start using PDO prepared statements, which in the end will save their time, as rewriting mysqli to PDO prepared statements will take less time and effort than rewriting mysqli to mysqli prepared statements.

fumeeptc · June 15, 2017, 10:32am

I will consider this!Some other guy says i should start using OOP.
What you think about OOP?

colshrapnel · June 15, 2017, 10:37am

You don’t have to start with OOP.
Object oriented programming is a very complex science, takes several years of hard learning to take into. So for now just forget it.

What you really need is an Object oriented syntax, and it’s really simple, you can learn it in a few minutes for sure.
An object is a variable that may contain either another variable (called a property) or a function (called a method). Both addressed via Arrow operator (->). That’s all.

So instead of

mysqli_query($mysqli, $query);

you can write

$mysqli->query($query);

where query() is a method of the $mysqli object.

Similarly, instead of

mysqli_error($mysqli);

you can write

$mysqli->error;

where error is a property.

As you can see, OOP syntax which is shorter and cleaner.

As of PDO, which you may have probably confused with OOP, it’s really simple too - a couple of functions to tun your queries with prepared statements. And example you can find by the link above.

Andres_Vaquero · June 15, 2017, 10:38am

It is the way you will have to go when you start dealing with a lot of code and large applications. It basically is just a tool to help you organise, reuse and architect your code better. It takes some time to grasp the concepts as practical examples but once you do you wouldn’t go back to procedural coding.