Am I doing the mysqli right?

Question

Every question which I asked on stackoverflow I received a question that It was easy to do a php injection into my script.

I've now a example and checked some tutorials on youtube. Am I doing this right now? This is an example how I'm working now

if($user->isLoggedIn()) {
    $pakuser = $user->data()->username;
    $sql = $db->query("SELECT * FROM users
        INNER JOIN post ON users.username = post.add
        WHERE post.id = $id AND post.add = '$pakuser'")
        or die(mysql_error());         

    if ($sql === FALSE) {

    }
    if($row = $sql->fetch_object())
    if($row->add)
    {               
?>     
    <p><a href="editpost.php?id=<?php echo htmlspecialchars($gooo->id);?>">edit this post</a><br><br>BEWARE OF DELETING YOUR CONTENT THERE IS NO GO-BACK<BR><a href="delete.php?id=<?php echo htmlspecialchars($gooo->id); ?>">Delete this post</a> </p>
<?php
    }
}

@AwladLiton I've changed in the other part of my script `mysql_real_escape_string` to `$db->real_escape_string` `$db = new mysql(my config settings)` — user3490572, Apr 19 '14 at 11:39

Nino · Answer 1 · 2014-04-19T13:07:02.260

0

Everytime the user can manipulate your sql-query without any restriction, there is a security-issue. Here is an example:

$query_string = "SELECT * FROM user WHERE (name='$username' AND password='$password')";

if the user sends a password like:

"something') OR ('1' = '1"

the query will change to:

$query_string = "SELECT * FROM user WHERE (name='Name' AND password='something') OR ('1' = '1')";

Because '1'='1' is always true, this will return each user in your database.

Instead you can change the example above to:

$query = mysqli->prepare('SELECT * FROM user WHERE (name=? AND password=?)');
$query->bind_param('ss', $username, $password);
$query->execute();

This will filter all strings that could break your sql-query.

edited Apr 19 '14 at 13:07

answered Apr 19 '14 at 11:48

Nino

402
3
8

@YourCommonSense Could you give me another example? What I need to change on this part of code so I can do it the all of my other parts thank you – user3490572 Apr 19 '14 at 12:10
@user3490572 did you try the link PeeHaa left under your question? – Your Common Sense Apr 19 '14 at 12:13

score -1 · Answer 2 · answered Apr 19 '14 at 11:25

It seems like you are still just passing variables straight through into the query. Yes, this may work, but is not necessary secure.

You could have a look at using PDO instead, which has means of being able to verify the data type that you are wanting to pass through into your query rather than just passing a variable into the query string.

In terms of using mysqli, have a look at mysqli_real_escape_string if you have not already. It is well documented.

it seems that you have quite vague idea on mysqli. and on sql injections too — Your Common Sense, Apr 19 '14 at 11:29

Am I doing the mysqli right?

2 Answers2