homepage Welcome to WebmasterWorld Guest from 54.197.171.109
register, free tools, login, search, pro membership, help, library, announcements, recent posts, open posts,
Pubcon Platinum Sponsor 2014
Home / Forums Index / Code, Content, and Presentation / PHP Server Side Scripting
Forum Library, Charter, Moderators: coopster & jatar k

PHP Server Side Scripting Forum

    
Is the code safe from mysql injections?
rigaconnect




msg:4544115
 11:47 am on Feb 9, 2013 (gmt 0)

Is the code safe from mysql injections?
Possibly some mistakes in code?
The code is working... i only want to know possibly some mistakes, etc....

connect to database
$mysqli = new mysqli($dbhost, $dbuser, $dbpass, $dbname);

somewhere read that set character is necessary for security
$mysqli->set_charset('utf8');

get users's post email
$email= $mysqli->real_escape_string($_POST['email']);

get corresponding values from columns email, username and confirmationCode (if users enters already registered email, get corresponding values (within the row))
if ($stmt = mysqli_prepare($mysqli, "SELECT email, username, confirmationCode FROM $create_new_table WHERE email = ? ")) {

as i understand this passes users's entered email to value that must be used to check values in mysql?
$stmt->bind_param('s', $email);

execute query
$stmt->execute();

? stores what result? if users's entered email matches email in mysql?
$stmt->store_result();


can not fully understand... bind results... what is the difference from bind_param?
$stmt->bind_result($email, $username, $confirmationCode);

get results from mysql?
$stmt->fetch();


here inform visitor if email is already registered
elseif( (strlen($_POST['email']) > 0) and ($stmt->num_rows > 0) ) {
$error .= '<font color="#FF0000">The email is already registered. Please, choose other email or <a href="reset-password.php">reset password</a>.
</font>';

 

swa66




msg:4544118
 12:09 pm on Feb 9, 2013 (gmt 0)

Looks ok on first look, but if you use prepared statements, there is no need to use mysqli::real_escape_string on the parameters that you include in the SQL query via the "?" (as bind parameter).

Actually I'm convinced it's better not to do it a it means that you store the escaped strings is you use it in a insert or update statement.

I don't believe it's productive in this example to use mysqli::store_result : it transfers the results to memory. You need it if you want to loop through results and do other queries while iterating over the results.

mysqli::bind_result is used to tell where the columns in the result of a select should go
mysqli::bind_param is used to tell which variable is to replace the "?" in the prepared statement


UTF-8: make sure to get everything else in UTF-8 as well (the html, the database, the fields in the database, ...)

rigaconnect




msg:4544126
 12:24 pm on Feb 9, 2013 (gmt 0)

Thank you for information.
As i understand the main part that prevents sql injection is
WHERE email = ? and then $stmt->bind_param('s', $email);
if instead of ? would be $email then prepared statemnt would not prevent sql injection...

swa66




msg:4544134
 1:31 pm on Feb 9, 2013 (gmt 0)

correct

Global Options:
 top home search open messages active posts  
 

Home / Forums Index / Code, Content, and Presentation / PHP Server Side Scripting
rss feed

All trademarks and copyrights held by respective owners. Member comments are owned by the poster.
Home ¦ Free Tools ¦ Terms of Service ¦ Privacy Policy ¦ Report Problem ¦ About ¦ Library ¦ Newsletter
WebmasterWorld is a Developer Shed Community owned by Jim Boykin.
© Webmaster World 1996-2014 all rights reserved