-1

I have read that to prevent SQL injection, all MySQL statements should actually my mysqli and parametered. The above code connects to a database, selects a random 'verbs' row, and then takes the cell that intersects the 'verb' row and the def column (the definition of that verb) using mysql_fetch_assoc.

What changes would make a random query safe from injection?

        $user_name = "name";
        $password = "password";
        $database = "words";
        $server = "host";

    $db_handle = mysqli_connect($server, $user_name, $password) or die (mysqli_error($db_handle));
    $db_found = mysqli_select_db($db_handle, $database) or die (mysqli_error($db_handle));

        $randVerb = mysql_query("SELECT * FROM verbs ORDER BY RAND() LIMIT 1"); 
        $db_field = mysql_fetch_assoc($randVerb); 
        $definition= $db_field['def'];
halfer
  • 19,824
  • 17
  • 99
  • 186
beaverjam
  • 43
  • 5
  • 1
    There are no parameters in this query, so it is safe. The parameterisation you've heard about refers to placeholders in your query, usually in your `WHERE` clause. It is correct to say that mysqli is a modern replacement for the legacy mysql library, but PDO/pdo_mysql is also excellent. – halfer Aug 19 '14 at 22:32
  • 1
    Sidenote: You're mixing MySQL APIs. – Funk Forty Niner Aug 19 '14 at 22:36
  • This appears to be an exact duplicate of your previous question, [Using a mysqli prepared statement to select a random cell instead of MySQL? (to prevent sql injection)](http://stackoverflow.com/questions/25391130/using-a-mysqli-prepared-statement-to-select-a-random-cell-instead-of-mysql-to). It isn't ideal practice to copy-and-paste a question after it has been put on hold - but do please add in the comments what is not explained by the indicated dup. – halfer Aug 19 '14 at 22:42
  • i meant to focus more on the injection aspect than converting from mysql to mysqli. the indicated duplicate did not discuss injection much. – beaverjam Aug 19 '14 at 22:57
  • Alright, so the duplicate should have been this instead: [How can I prevent SQL injection in PHP?](https://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php) – halfer Aug 20 '14 at 00:34
  • (When replying to a comment, don't forget to address it to the person concerned, such as @halfer - otherwise your message will likely be missed). – halfer Aug 20 '14 at 00:36
  • Does this answer your question? [How can I prevent SQL injection in PHP?](https://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php) – Dharman May 26 '20 at 22:28

3 Answers3

1

SQL injection can be only in queries uses some variables given from client. You don't have any here, so the query is safe

Vadim Babaev
  • 490
  • 1
  • 3
  • 13
1

There is nothing in SQL that is inherently dangerous to injection. The idea of sanitizing (or making a query safe) is when you're running a query based on some user input variable.

Like for example, someone is logging in. you would have a query like

SELECT COUNT() FROM `users` WHERE `user`='$user' AND `pass`='$pass'

which means if $pass="' OR 1=1--";

they would login as the first user in the database. So, you need to sanitize your variables before using them in your query (basically you're escaping quotes when sanitizing SQL data). Which is why PHP says to use mysqli instead of mysql.

Kenyon
  • 807
  • 1
  • 12
  • 24
1

You have to use mysqli or PDO because mysql_* is deprecated and it'll be removed in a future version of PHP!

Your code is safe, because you don't use any parameters.

One example for BAD code:

mysql_query("SELECT * FROM verbs WHERE id = ".$_GET['id']);

If you want to use parameters in your query use prepared statements! This is a quite good tutorial: http://wiki.hashphp.org/PDO_Tutorial_for_MySQL_Developers

halfer
  • 19,824
  • 17
  • 99
  • 186
Gerifield
  • 403
  • 5
  • 12
  • Yeah, but you could write vulnerable code in that too, if you don't use the prepared statements! – Gerifield Aug 19 '14 at 22:48
  • Sidenote: Mysqli and PDO are similar. Mysqli works a bit faster, but supports only MySQL database, PDO is a bit slower, but supports different databases like postgre, sqlite, mssql etc... – Gerifield Aug 19 '14 at 22:51
  • would how i used it be incorrect? is there a relatively simple way to change it to be correct for mysqli? – beaverjam Aug 19 '14 at 22:54
  • Check this tutorial: http://mattbango.com/notebook/code/prepared-statements-in-php-and-mysqli/ And search and read a bit about prepared statements. :) – Gerifield Aug 19 '14 at 22:55