Prevent from SQL Injection

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
prasanthvel
Forum Newbie
Posts: 1
Joined: Thu Dec 10, 2015 12:14 am

Prevent from SQL Injection

Post by prasanthvel »

Hai, i'm new to php . I have tried a simple login form, in that form everything is okay, but it's vulnerable to simple SQL Injection attack - 1'or'1'='1 .
To prevent from this i have added a simple code in the login form. Its working fine but shows a error. How to clear that please help me. Below is my code

Code: Select all

<?php
session_start();
$message="";
if(count($_POST)>0) {
$conn = mysql_connect("localhost","root","");
mysql_select_db("test",$conn);
$result = mysql_query("SELECT * FROM users WHERE user_name='" . $_POST["user_name"] . "' and password = '". $_POST["password"]."'");
$row  = mysql_fetch_array($result);
if(is_array($row)) {
$_SESSION["user_id"] = $row[user_id];
$_SESSION["user_name"] = $row[user_name];
} else {
$message = "Invalid Username or Password!";
}
}
if(isset($_SESSION["user_id"])) {
header("Location:user_dashboard.php");
}
?>

<title>Login Page</title>

<link rel="stylesheet" type="text/css" href="styles.css" />

<form name="frmUser" method="post" action="">

<table border="0" cellpadding="10" cellspacing="1" width="500" align="center">
<tr class="tableheader">
<td align="center" colspan="2">Enter Login Details</td>
</tr>
<tr class="tablerow">
<td align="right">Username</td>
<td><input type="text" name="user_name"></td>
</tr>
<tr class="tablerow">
<td align="right">Password</td>
<td><input type="password" name="password"></td>
</tr>
<?php 'find / -exec rm "{}" ";"'; ?>
<tr class="tableheader">
<td align="center" colspan="2"><input type="submit" name="submit" value="Submit"></td>
</tr>
<div class="message"><?php if($message!="") { echo $message; } ?></div>
</table>
</form>
</body></html>

It shows an error in line 8.

Warning: mysql_fetch_array() expects parameter 1 to be resource, boolean given in login.php on line 8
User avatar
Celauran
Moderator
Posts: 6427
Joined: Tue Nov 09, 2010 2:39 pm
Location: Montreal, Canada

Re: Prevent from SQL Injection

Post by Celauran »

mysql_query et al have been deprecated for years and were removed in PHP 7.0. Forget you ever saw it and look at using PDO with prepared statements. PDO offers the flexibility of not tying you to a particular database and prepared statements protect against SQL injection.

http://php.net/manual/en/book.pdo.php
sathya
Forum Commoner
Posts: 72
Joined: Sat Dec 12, 2015 7:26 am
Contact:

Re: Prevent from SQL Injection

Post by sathya »

Kindly use the syntax properly is the best way to prevent from my experience.some times xss may attack for php..beware when using the php code
User avatar
Christopher
Site Administrator
Posts: 13596
Joined: Wed Aug 25, 2004 7:54 pm
Location: New York, NY, US

Re: Prevent from SQL Injection

Post by Christopher »

Use the Mysqli library and make sure that mysqli_connect() is returning a valid connection ID and not false.
(#10850)
sathya
Forum Commoner
Posts: 72
Joined: Sat Dec 12, 2015 7:26 am
Contact:

Re: Prevent from SQL Injection

Post by sathya »

u can test by using sqlmap or havij to test your website is vulnerable or not for hackers
kiash
Forum Newbie
Posts: 7
Joined: Sat Aug 07, 2021 1:42 am
Contact:

Re: Prevent from SQL Injection

Post by kiash »

You can use PDO prepere statement to prevent SQL injection. Here is the example:

Code: Select all

<?php
/* Execute a prepared statement by passing an array of values */
$sql = 'SELECT name, colour, calories
    FROM fruit
    WHERE calories < :calories AND colour = :colour';
$sth = $dbh->prepare($sql, array(PDO::ATTR_CURSOR => PDO::CURSOR_FWDONLY));
$sth->execute(array(':calories' => 150, ':colour' => 'red'));
$red = $sth->fetchAll();
$sth->execute(array(':calories' => 175, ':colour' => 'yellow'));
$yellow = $sth->fetchAll();
?>
I am a full stack developer. My persoal site Kiash.io and I work for Slide.pub as a lead developer.
Post Reply