MySQLI Security

$connection=mysqli_connect("localhost","user","pw", "user_db");
if (!$connection)
  echo "Could not connect to the database: " . mysql_error();
$getData = mysqli_query($connection, "SELECT * FROM `Articles` ORDER BY ArticleID DESC;");
while ($getDataFetch = mysqli_fetch_array($getData))
  $shortened=strip_tags(substr($getDataFetch['ArticleContent'], 0, 250));
  echo "<div>
      <a href=\"/blog/".$getDataFetch['ArticleURL']."\">".$getDataFetch['ArticleTitle']."</a>

Redesigning my website and also implementing security (even though I’m the only one with access.)

I tried converting this to mysqli and surprisingly it worked on the first attempt. How do I go about making this secure? What functions should I do where? I’m a noobie at security.

On the logic above. Nothing.

Since you are not receiving user input for your query, SQL Injection is out of the question. If you ever implement paging, then you’ll want to gravitate to prepared statements

Should clarify a few things, how does your data get inputted into the database? Do other users get to submit data? If so, you probably want to utilize htmlentities for anything that does not need to have HTML parsed (title, author, date, etc). As for the article content, if it needs to parse HTML you may want to look at strip_tags and whitelist the HTML you want to support.

1 Like

So the only area I’ll need to implement security is my admin control panel where I submit articles? Gotcha - thanks. Pagination will be coing within a month or two. I’m at 7 articles now. Once I hit 11, then pagination will take effect and I"ll need that coded.

Just added a bit more clarification to my original post (as I’d hate to mislead you) :smile: As there are other vulnerabilities than SQL Injection, you could have XSS attacks if the data in your database is tainted.

1 Like

The only interaction allowed in my database is through my panel. To even get there, you need to get through two passwords (both I need to get to - the site design isnt done still.)

I’ll keep your comments in mind. Off topic, but do you have a good article handy about uploading images to databases? I am modifying my articles database to add a field for images (it will hold 1 image per article) and so far this is the best article I’ve found.

And there are better ways to deal with errors other than echoing them out for any to see.

Not that they would reveal that much information that would compromise security, but safer better than sorry.

1 Like

I moved 15 posts to a new topic: Image Storage - File System Versus Database

This topic was automatically closed 91 days after the last reply. New replies are no longer allowed.