| Is the code safe from mysql injections?
|
rigaconnect
msg:4544115 | 11:47 am on Feb 9, 2013 (gmt 0) |
Is the code safe from mysql injections?
Possibly some mistakes in code?
The code is working... i only want to know possibly some mistakes, etc....
connect to database
$mysqli = new mysqli($dbhost, $dbuser, $dbpass, $dbname);
somewhere read that set character is necessary for security
$mysqli->set_charset('utf8');
get users's post email
$email= $mysqli->real_escape_string($_POST['email']);
get corresponding values from columns email, username and confirmationCode (if users enters already registered email, get corresponding values (within the row))
if ($stmt = mysqli_prepare($mysqli, "SELECT email, username, confirmationCode FROM $create_new_table WHERE email = ? ")) {
as i understand this passes users's entered email to value that must be used to check values in mysql?
$stmt->bind_param('s', $email);
execute query
$stmt->execute();
? stores what result? if users's entered email matches email in mysql?
$stmt->store_result();
can not fully understand... bind results... what is the difference from bind_param?
$stmt->bind_result($email, $username, $confirmationCode);
get results from mysql?
$stmt->fetch();
here inform visitor if email is already registered
elseif( (strlen($_POST['email']) > 0) and ($stmt->num_rows > 0) ) {
$error .= '<font color="#FF0000">The email is already registered. Please, choose other email or <a href="reset-password.php">reset password</a>.
</font>';
|
swa66
msg:4544118 | 12:09 pm on Feb 9, 2013 (gmt 0) |
Looks ok on first look, but if you use prepared statements, there is no need to use mysqli::real_escape_string on the parameters that you include in the SQL query via the "?" (as bind parameter).
Actually I'm convinced it's better not to do it a it means that you store the escaped strings is you use it in a insert or update statement.
I don't believe it's productive in this example to use mysqli::store_result : it transfers the results to memory. You need it if you want to loop through results and do other queries while iterating over the results.
mysqli::bind_result is used to tell where the columns in the result of a select should go
mysqli::bind_param is used to tell which variable is to replace the "?" in the prepared statement
UTF-8: make sure to get everything else in UTF-8 as well (the html, the database, the fields in the database, ...)
|
rigaconnect
msg:4544126 | 12:24 pm on Feb 9, 2013 (gmt 0) |
Thank you for information.
As i understand the main part that prevents sql injection is
WHERE email = ? and then $stmt->bind_param('s', $email);
if instead of ? would be $email then prepared statemnt would not prevent sql injection...
|
swa66
msg:4544134 | 1:31 pm on Feb 9, 2013 (gmt 0) |
correct
|
|
|
