0

Is this code susceptible to SQL injection?

function SaveUser($usu,$pass,$name){
    $sql="insert into usuarios(USU,PASS,NOMBRE,ESTADO)
    values('$usu',md5('$pass'),'$name','$apellido2','A')";

    ...
}
0x5C91
  • 3,360
  • 3
  • 31
  • 46
Geoffrey-ap
  • 380
  • 3
  • 12
  • That depends on where the variables `$usu`, `$pass` and `$name` come from. My guess is that they come from user input and this is susceptible. See [this question](http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php?rq=1) –  Mar 21 '14 at 20:39
  • 1
    Short answer: Yes. Slightly longer answer: It depends on where the variables come from. – Sverri M. Olsen Mar 21 '14 at 20:40
  • @MikeW you are essentially wrong. – Your Common Sense Mar 21 '14 at 20:41
  • @YourCommonSense Not totally wrong. If the the variables are filtered before passing to the function then it should be fine. – John Guan Mar 21 '14 at 20:42
  • 2
    @YourCommonSense Are you saying that this code is **not** susceptible? If so, I'd say you are completely wrong. –  Mar 21 '14 at 20:42
  • @ChongGuan whatever "filtering" has absolutely nothing to do with proper SQL formatting. For more info see here: http://phpdelusions.net/sql_injection – Your Common Sense Mar 21 '14 at 20:44
  • @YourCommonSense I am not saying this is the way SQL formatting should be done. I am just saying MikeW is not essentially wrong in a way. – John Guan Mar 21 '14 at 20:48
  • Everyone who says "it depends" is deeply, essentially wrong. I wonder if world *ever* will learn to use prepared statements. – Your Common Sense Mar 21 '14 at 20:49
  • This belongs on [`codereview.stackexchange.com`](http://codereview.stackexchange.com/) --- No sense bickering about this. [`Read up on SQL injection`](http://stackoverflow.com/q/60174/) *Plus*, do NOT use MD5 for password storage, it's considered too fast. Use `crypt()` or PHP 5.5's `password_hash()` function. – Funk Forty Niner Mar 21 '14 at 20:52
  • It's just amazing feature of Stack Overflow - every time there is a freshman, unaware of all the modern achievements of the trade, eager to defend some ancient views... – Your Common Sense Mar 21 '14 at 20:55
  • the variables come directly from the user. – Geoffrey-ap Mar 21 '14 at 21:01
  • why is not recommended to use MD5 ? is there any link? – Geoffrey-ap Mar 21 '14 at 21:05
  • @user3397363 You can read up on MD5 here => http://en.wikipedia.org/wiki/MD5 – Funk Forty Niner Mar 21 '14 at 21:23

6 Answers6

2

If you want to stop sql injection, the safest way is to not use sql. Although, PDO is the best option with prepared statements. I will leave an example of a connect/insert script. The documentation is at http://php.net/pdo. Also, you should use bcrypt or password_hash (only if you're on php 5.5) for hashing passwords. MD5 is not safe.

<?php
$connect = new PDO("mysql:host=localhost;dbname=db", "username", "password");
$connect->setAttribute( PDO::ATTR_ERRMODE, PDO::ERRMODE_WARNING );
$query = $connect->prepare("insert into usuarios(USU,PASS,NOMBRE,ESTADO)
values(?, ?, ?, ?)");
$query->bindValue(1, $usu);
$query->bindValue(2, md5('$pass'));
$query->bindValue(3, $name);
$query->bindValue(4, $apellido2);
try {
     $query->execute();
} catch (PDOException $e) {
     die($e->getMessage());
}
?>
user3299250
  • 33
  • 6
1

Yes it is, use pdo if you want to stop sql injection. Sanitization of the input data is really important before inserting into the database.

check this : How does PHP PDO's prepared statements prevent sql injection? What are other benefits of using PDO? Does using PDO reduce efficiency?

Here is the link on how to use pdo: http://www.php.net/manual/en/book.pdo.php

Community
  • 1
  • 1
akr
  • 739
  • 4
  • 15
1

ANY time you're inserting dymamic data (e.g. variables) into an SQL query, the query becomes injectable. Even if those variables did not come from "outside" the system. You can TRIVIALLY inject yourself. e.g.

$name = "Miles O'Brien";
$sql = "SELECT * FROM users WHERE name='$name'";

Looks perfectly innocent. Theres no "external" data submitted by a malicious user. It's purely code + data you've written, but that '-quote in the name has now broken your statement and caused an injection attack. The attack fails because it's not actually a real attack, but it still introduces an SQL syntax error:

SELECT * FROM users WHERE name='Miles O'Brien';
                               ^^^^^^^^^---- string
                                        ^^^^^^--dangling unknown field/keyword.
Marc B
  • 356,200
  • 43
  • 426
  • 500
0

Yes, the variables are not filtered before being inserted into the query, leaving the possibility of containing injection there. See How can I prevent SQL injection in PHP? for more information on how to prevent injection.

Aside from that, it seems like you're trying to use md5 as password encryption. I would recommend looking into other ways of hashing passwords, as md5 is not up to security standards.

Community
  • 1
  • 1
tvkanters
  • 3,519
  • 4
  • 29
  • 45
  • 1
    I see someone downvoted this question. Please explain your motivation for doing so to inform others and me on why this is wrong. – tvkanters Mar 21 '14 at 20:50
0

Yes it is. You should look into Prepared statements
http://www.php.net/pdo.prepared-statements
The parameters to prepared statements don't need to be quoted; the driver automatically handles this. If an application exclusively uses prepared statements, the developer can be sure that no SQL injection will occur (however, if other portions of the query are being built up with unescaped input, SQL injection is still possible).

user3413153
  • 9
  • 3
0

Yes, that statement is vulernable to an SQL Injection.

Also, you should NEVER use md5 to encrypt passwords. Use bcrypt instead

See here: How do you use bcrypt for hashing passwords in PHP?

Community
  • 1
  • 1
Lee Salminen
  • 900
  • 8
  • 18