Is this SQL query safe from injection?

Question

The code below is written in php:

$user = addslashes($_POST['user']);
$pwd = addslashes($_POST['pwd']);

$query = "SELECT * FROM userdata WHERE UserName='$user' AND Password=PASSWORD('$pwd')";

the query will then be sent to mysql Is there anything more I need to take care of?

Please point out.

possible duplicate of [Best way to prevent SQL Injection in PHP](http://stackoverflow.com/questions/60174/best-way-to-prevent-sql-injection-in-php) — Code Magician, Jun 17 '12 at 17:25

score 6 · Answer 1 · edited May 23 '17 at 12:29

6

No it's not safe, use mysql_real_escape_string at minimum:

$user = mysql_real_escape_string($_POST['user']);
$pwd = mysql_real_escape_string($_POST['pwd']);

And for better security go for prepared statements.

Best Options:

PDO
mysqli

You may ask which one to choose, check out:

What is difference between mysql,mysqli and pdo?

edited May 23 '17 at 12:29

Community

1
1

answered Jun 17 '12 at 17:20

Sarfraz

377,238
77
533
578

Thanks for the reply. Sorry I cannot accept all replies as answers. – NSF Jun 17 '12 at 17:52

Code Magician · Accepted Answer · 2012-06-17T17:41:53.433

5

Nope.

The reason is that while a single quote ' is not the only char that break a sql query, quotes are the only chars escaped by addslashes().

Better: use mysql_real_escape_string

$user = mysql_real_escape_string($_POST['user'], $conn);
$pwd = mysql_real_escape_string($_POST['pwd'], $conn);

$query = "SELECT * FROM userdata WHERE UserName='$user' AND Password=PASSWORD('$pwd')";

Best: use PDO and prepared statements

$stmt = $dbh->prepare("SELECT * FROM userdata WHERE UserName=':user' AND Password=PASSWORD(':pass')");
$stmt->bindParam(':user', $user);
$stmt->bindParam(':pass', $pass);

edited Jun 17 '12 at 17:41

answered Jun 17 '12 at 17:19

Code Magician

23,217
7
60
77

1

`mysql_*` functions are being deprecated. They shouldn't be used in new code. – Oliver Charlesworth Jun 17 '12 at 17:21
That makes sense. It could be better if you can show a simple example of how injection to that code is possible – NSF Jun 17 '12 at 17:51
Here's a good example of how you can inject after addslashes is run: http://shiflett.org/blog/2006/jan/addslashes-versus-mysql-real-escape-string – Code Magician Jun 17 '12 at 18:15

score 3 · Answer 3 · answered Jun 17 '12 at 17:20

No. You should not be using addslashes() to escape your data. That's been obsolete for years. You should be either:

using mysql_real_escape_string() as a replacement
using prepared statements with PDO or MySQLi

Plus using MySQL's Password() function is also poor pracdtive. Use hashes with salts. Bcrypt is my recommendation. Also, check out PHPass.

score 2 · Answer 4 · answered Jun 17 '12 at 17:52

Protecting against SQL injection is easy:

Filter your data.

This cannot be overstressed. With good data filtering in place, most security concerns are mitigated, and some are practically eliminated.

Quote your data.

If your database allows it (MySQL does), put single quotes around all values in your SQL statements, regardless of the data type.

Escape your data.

Sometimes valid data can unintentionally interfere with the format of the SQL statement itself. Use mysql_escape_string() or an escaping function native to your particular database. If there isn't a specific one, addslashes() is a good last resort.

Read more: http://phpsec.org/projects/guide/3.html#3.2

Is this SQL query safe from injection?

4 Answers4