How i can make my code secure from SQL Injection

Question

I know i am not secure when i am using this code so anything i can add in my code?

I have tried my self sql injection they are somewhere working but not much as i dont have much knowledge about sql injection. but as hacker are more smart so they can really hack my website.

Url looks like this :

http://example.com/profile.php?userID=1

php

$userID = $_GET['userID'];
$userID = mysql_real_escape_string($userID);
$CheckQuery = mysql_query("SELECT * FROM tbl_user WHERE id='$userID'");

$CheckNumber = mysql_num_rows($CheckQuery);
if ($CheckNumber !== 1)
{
    header("Location: tos.php");
}

I tried:

http://example.com/profile.php?userID=1'

which hide many things on site.

when i tried

http://example.com/profile.php?userID=1' UNION SELECT * FROM tbl_user; with havij it was hacked

Thanks :|

Answer 1

use mysqli::prepare or at least sprintf

mysql_query(sprintf("SELECT * FROM tbl_user WHERE id='%d'", $userID);

$db = new mysqli(<database connection info here>);

$stmt = $db->prepare("SELECT * FROM tbl_user WHERE id='?'");
$stmt->bind_param("id", $userID);
$stmt->execute();
$stmt->close();

Answer 2

Dont use mysql_* functionality at all. Use PDO or mysqli.

http://php.net/PDO http://php.net/mysqli

PDO will escape your data for you.

But for your current code:

$userID = $_GET['userID'];
$userID = mysql_real_escape_string($userID);

if(ctype_digit($userID))
{
    $CheckQuery = mysql_query("SELECT * FROM tbl_user WHERE id='$userID'");

    $CheckNumber = mysql_num_rows($CheckQuery);
    if ($CheckNumber !== 1)
    {
        header("Location: tos.php");
    }
} else {
    // THE USER ID IS NOT ALL NUMBERS, CREATE AN ERROR
}

Answer 3

I know i am not secure when i am using this code

This statement is wrong.
As a matter of fact, this very code is pretty secure.

And none of the codes you provided below would do any harm. Why do you think it is not secure?

This way is not recommended, yes. And the way you are using to format your queries may lead to injection for some other query. But the present code is perfectly secure.

As long as you are enclosing every variable in quotes and escape special chars in it - it is safe to be put into query.
Only if you omit one these two rules (i.e. escape but don't quote or quote but don't escape) - you are in sure danger. But as long as you're following both, you're safe.

The only reason for "hacking" I can guess of is a single quote used in HTML context. In some circumstances it can "hide many things on the page". But for the SQL, with the code you posted here, it's harmless

Look, out of this link

http://example.com/profile.php?userID=1'

your code will produce such a query

SELECT * FROM tbl_user WHERE id='1\''

which is quite legit for mysql and will even return a record for id=1, as it will cast 1' to 1 and find the record. This is why there is no redirect to tos.php.

So, the problem is somewhere else.

• either there is a code that does not follow the rules I posted above
• or this problem is unrelated to SQL at all - so, you are barking wrong tree and thus still keep whatever vulnerability open

Most likely you have to echo your values out

Answer 4

u can try type casting the value

<?php


$CheckQuery = mysql_query("SELECT * FROM tbl_user WHERE id='".(int)$userID."'");

?>