PHP and SQL Injection

Question

I have this piece of PHP, I just wanna make sure it's safe from SQL injection and security vulnerabilities:

<?php
require_once "./source/includes/data.php";
header('Content-type: application/json');
$request = mysql_real_escape_string($_REQUEST['email_address']);

$query = mysql_query("SELECT * FROM mmh_user_info WHERE email_address ='$request'");
$result = mysql_num_rows($query);
if ($result == 0){
$valid = 'true';}
else{
$valid = 'false';
}
echo $valid;
?>

I'm still a php newbie, any enhancements or edits would be greatly appreciated!

Pretty safe from injection, but if you're writing new code, why not go with either `PDO`'s or `mysqli`'s prepared statments? Safe as can be.. — Wrikken, May 16 '13 at 22:35
`$email_address` in your WHERE clause likely should be `$request`. Besides that, safe. — Shi, May 16 '13 at 22:41
Can you suggest an edit on this code? Or suggest a tutorial that explains how to do that in mysqli prepared statments? Thanks for your advice! — Rounds, May 16 '13 at 22:44
We would need to see how you output the data and how you inserted it, since this `could` still be vulnerable to XSS in certain cases. — Francisco Presencia, May 16 '13 at 23:30

score 4 · Accepted Answer · edited May 16 '13 at 23:53

4

I suggest you make use of PDO which is becoming a standard in PHP5:

$sth = $dbh->prepare("SELECT * FROM mmh_user_info WHERE email_address = ?");
$sth->execute(array($_REQUEST['email_address']));
$red = $sth->fetchAll();

edited May 16 '13 at 23:53

Francisco Presencia

8,732
6
46
90

answered May 16 '13 at 23:18

Mark Parker

123
4

An additional `isset` check is required here – zerkms May 16 '13 at 23:21
4

Shouldn't there be an `array()` inside `execute()` @zerkms – samayo May 16 '13 at 23:25
@php NoOb: that's too, but it's not my answer :-) – zerkms May 16 '13 at 23:26
mysqli extension also supports prepared statements. – Henrique Barcelos May 16 '13 at 23:30
I'm using this with jQuery validate 'remote'. I need the result to be true or false, can this be done with PDO ? – Rounds May 17 '13 at 13:53

score 1 · Answer 2 · edited Jun 20 '20 at 09:12

I would use $_POST instead of $_REQUEST for the points noted in this great answer by the user Pascal MARTIN:

$_REQUEST, by default, contains the contents of $_GET, $_POST and $_COOKIE.

But it's only a default, which depends on variables_order ; and not sure you want to work with cookies.

If I had to choose, I would probably not use $_REQUEST, and I would choose $_GET or $_POST -- depending on what my application should do (i.e. one or the other, but not both) : generally speaking :

You should use $_GET when someone is requesting data from your application.

And you should use $_POST when someone is pushing (inserting or updating ; or deleting) data to your application.

Either way, there will not be much of a difference about performances : the difference will be negligible, compared to what the rest of your script will do.

PHP and SQL Injection

2 Answers2