Prevention against MySQL injection

Question

I'm a noob in php and i'm having a hard time to protect my code against MySQL injection. What my code does is that it fetches the info that has been submitted from a form and then inserts it into database. I don't know where to put the protection. Can anyon eplease help me. Thank you very much. This is my code`

<?php
$db_host="localhost";  
$db_uname="regina_rainier";    
$db_pass="rainier1990"; 
$db_name="regina_testdatabase";  
$url = 'home.php';

$con=@mysql_connect($db_host,$db_uname,$db_pass);  
// Check connection
if (!$con)
{
echo "<br />";
die('Could not connect: ' . mysql_error());
}
else{
echo "<br />";
}
mysql_select_db($db_name) or die("cannot find database"); 
echo "<br />";



$sql="INSERT INTO costumer (costumer_ID,  first_name, last_name, birth_date, adress,  city, state,
 postal_code, country, phone, email_client,username, password, Credit_Card, Credit_CardType) 
VALUES 
('$_POST[costumer_ID]',  '$_POST[first_name]', '$_POST[last_name]',     '$_POST[birth_date]', '$_POST[adress]', '$_POST[city]', '$_POST[state]', '$_POST[postal_code]', '$_POST[country]', '$_POST[phone]', '$_POST[email_client]','$_POST[username]', '$_POST[password]','$_POST[Credit_Card]','$_POST[Credit_CardType]');"


echo "<br />";

if (!mysql_query($sql,$con))
{ 
echo "<br />";
die('Error: ' . mysql_error());
}
$sql2="INSERT INTO login(password, username, costumer_costumer_ID) 
VALUES ('$_POST[username]',  '$_POST[password]', '$_POST[costumer_ID]');";
if(!mysql_query($sql2,$con)){
echo "<br />";
die ("ERROR: ".mysql_error());

}


if (isset($_REQUEST['email_client'])){

$email = $_REQUEST['email_client'] ;
$subject = 'Email Confirmation testing';
$message = 'Greetings'." ". $_REQUEST['first_name'].","."\n" 
."We have received your request."."\n". "Please check if the fields are filled correctly."."\n\n"
."Desired Username: ".$_REQUEST['username']."\n" 
."Desired password is: ".$_REQUEST['password']."\n"
."I.D. number: ".$_REQUEST['costumer_ID']."\n"
."First name: ".$_REQUEST['first_name']."\n"
."Last name: ".$_REQUEST['last_name']."\n"
."Birth date: ".$_REQUEST['birth_date']."\n"
."Adress: ".$_REQUEST['adress']."\n"
."City: ".$_REQUEST['city']."\n"
."Country: ".$_REQUEST['country']."\n"
."Phone: ".$_REQUEST['phone']."\n"
."Email Adress: ".$_REQUEST['email_client']."\n"
."Card Number: ".$_REQUEST['Credit_Card']."\n"
."Card Type:".$_REQUEST['Credit_CardType']."\n"
."\n\n Your account was succesfully created";

;

$_sender='www.postmasterSPapiesOnlineShopping.com';
mail($email, $subject,
$message, "From:" . $_sender );


}



 echo"<br />";
 echo " Congratulations, your account was succesfully created.";

mysql_close($con);


echo '<META HTTP-EQUIV=Refresh CONTENT="0; URL='.$url.'">';
?>

</header>
</html>

First of all stop using `mysql_*` functions and switch to `PDO` or `mysqli_*` — Niket Malik, Nov 15 '13 at 15:22
Had you Google'd this or done any type of research, you would have found that using the deprecated `MySQL_` functions is literally plastered all over the Internet/SO. I doubt you spent more than 3 minutes on the subject. I see a `Credit_Card` field; wow. **I (strongly) suggest** you spend 3 "hours" instead, in order to fully research and understand what you're getting yourself into. The link above given by `jeroen` is a start and you could benefit by reading this also => https://www.owasp.org/index.php/Top_10_2013-Top_10 — Funk Forty Niner, Nov 15 '13 at 15:32
And just for Grammar's sake, the word is "customer" and not "costumer" - A "costumer" is someone who dresses people up or supplies people with "costumes". Halloween is over, unless you're supplying to wannabee Santas. — Funk Forty Niner, Nov 15 '13 at 15:39

score 0 · Answer 1 · edited Nov 15 '13 at 15:54

0

Do not use mysql_* which is deprecated. Replace all your calls by mysqli_* equivalent at least (or with PDO, which can be a little harder for real beginner but you may worth it if the project may change database type)
Use prepared statements. All what you need is on the php documentation : http://us3.php.net/mysqli_prepare

edited Nov 15 '13 at 15:54

tadman

208,517
23
234
262

answered Nov 15 '13 at 15:22

Asenar

6,732
3
36
49

score 0 · Answer 2 · answered Nov 15 '13 at 15:58

Step 1

Stop using mysql_query immediately. You're doing it the way it was done in the naive days of the late 1990s when SQL injection bugs weren't really perceived to be a problem.

Step 2

Learn PDO, which takes only about 30 minutes to pick up. Use the placeholders method for inserting data and be disciplined about doing this. When you get lazy, you make mistakes, and these days mistakes can have huge consequences.

Step 3

Stop writing direct SQL code and instead spend the time to learn a popular development framework so you don't have to waste your day doing low-level stuff when this could all be handled for you.

Don't worry, though. Admitting you have a problem is the first step to a solution, right?

*"Admitting you have a problem is the first step to a solution"* – It's the "recovery" that could hurt the most, and that could take time. — Funk Forty Niner, Nov 15 '13 at 16:06

score 0 · Accepted Answer · answered Nov 15 '13 at 16:01

Use prepared statements

What they do is first sent a version of the query with placeholders for data. The query is verified and prepared. If succesfull you can send the values which the database will safely insert into the prepared query.

There are three options:

The MySQLi extension

$stmt = $mysli->prepare('INSERT INTO costumer (costumer_ID,  first_name, last_name, birth_date, adress,  city, state, postal_code, country, phone, email_client,username, password, Credit_Card, Credit_CardType) 
                         VALUES 
                         (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?');

$stmt->bindParam('issssssssssssss', $_POST['costumer_ID'], ..., $_POST['Credit_CardType']);
$stmt->execute();

The PDO extension

// use native prepared statements if supported
$pdo->setAttribute(PDO::ATTR_EMULATE_PREPARES, false);

$stmt = $pdo->prepare('INSERT INTO costumer (costumer_ID,  first_name, last_name, birth_date, adress,  city, state, postal_code, country, phone, email_client,username, password, Credit_Card, Credit_CardType) 
                       VALUES 
                       (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?');

$stmt->bindParam(1, $_POST['costumer_ID'], PDO::PARAM_INT);
...
$stmt->bindParam(15, $_POST['Credit_CardType']);

$stmt->execute();

Raw queries via any extension

I'm not going to give an example because the other two methods are far superior.

PDO's `execute` supports named parameters which are usually a lot easier to read and debug than a pile of question marks: `VALUES (:name)` and `execute(array(":name" => $name))` as an example. — tadman, Nov 15 '13 at 16:15

score -2 · Answer 4 · answered Nov 15 '13 at 15:21

-2

Dear plz move to Php PDO here is link http://php.net/manual/en/book.pdo.php

PDO is far more better and faster than Mysql and you should be knowing that Mysql in php it's now obslete instead MySQLi is now introduced in php mind (i) in Mysqli. I personally prefer PDO. you can go throug many online articles.

answered Nov 15 '13 at 15:21

Airy

5,484
7
53
78

Please, do not use "plz". Thanks. This is not a text message to your best friend, it is a shared resource used by many people. – tadman Nov 15 '13 at 15:55