0

I'm busy creating a login system for my site and now I'm focusing on the registering system but I read that the POST method is vulnerable to SQL-injection and I want to change that. Now my problem is that I don't know very much about PHP and I don't get how to use prepared statements. Can anyone help me implementing it? Here is my code:

<?php
error_reporting(E_ALL); ini_set('display_errors', 1);
include('connect.php');
// If the values are posted, insert them into the database.
if (isset($_POST["username"]) && isset($_POST["password"])){
    $username = $_POST["username"];
    $email = $_POST["email"];
    $password = $_POST["password"];
    $epassword = hash("sha512", $password);

    $query = "INSERT INTO `user` (username, password, email) VALUES ('$username', '$epassword', '$email')";
    $result = mysqli_query($connection, $query);
    if($result){
        $msg = "User Created Successfully.";
    }
}
?>
<!DOCTYPE html>
<html>
<body>
<div id="wrapper">

<head>
<title>Franeker Computer Reparaties</title>
<link rel="stylesheet" href="styles.css" />
</head>

<h1 id=logo>
<a href=""> </a>
</h1>

<div class="register-form">
<?php
if(isset($msg) && !empty($msg)){
    echo $msg;
    }
 ?>
<h1>Registreer</h1>
<form action="" method="POST">
<p><label>User Name : </label>
<input id="username" type="text" name="username" placeholder="username" /></p>

<p><label>E-Mail&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; : </label>
 <input id="password" type="email" name="email" required placeholder="name@email.com" /></p>

 <p><label>Password&nbsp;&nbsp; : </label>
 <input id="password" type="password" name="password" placeholder="password" /></p>

<a class="btn" href="login.php">Login</a>
<input class="btn register" type="submit" name="submit" value="Registreer" />
</form>

</div>

<div id="navwrapper">
  <ul id="nav">
    <li><a href="index.php">Home</a></li>
    <li><a href="diensten.php">Diensten</a></li>
    <li><a href="advies.php">Advies</a></li>
    <li><a href="contact.php">Contact</a></li>
  </ul>
</div>

</div>
</body>
</html>
EM-Creations
  • 4,195
  • 4
  • 40
  • 56
de boer
  • 59
  • 7
  • 1
    SO is neither a free coding service nor a place for tutorials. If you don't understand prepared statements, read up on them until you do. There is enough material on this topic available. – Ingo Bürk Nov 13 '14 at 17:44
  • I'm sorry i did not mean to get my code eddited by you guys, let me change my question. if i add the first answer instead of the part: $query = "INSERT INTO `user` (username, password, email) VALUES ('$username', '$epassword', '$email')"; $result = mysqli_query($connection, $query); " Will it work? – de boer Nov 13 '14 at 17:49
  • The POST method itself is not vulnerable to anything that you should be worried about, it does precisely what it was designed to do. Transferring the POST data out of PHP's memory and into a different location, such as but not always a DBMS, is the unsafe part because there are ways to craft the input to trigger unwanted actions. Start here http://stackoverflow.com/a/18534687/2191572 – MonkeyZeus Nov 13 '14 at 17:56
  • Im sorry for the duplicate but i used this question because i did not fully understand certain parts of the other question. if it is needed i could delete the question? – de boer Nov 13 '14 at 18:01
  • Just FYI since you seem to not quite understand injection. Anytime you use input from $_POST, $_GET, $_COOKIE, or $_REQUEST to put data into the DB, into another file, or send an e-mail, etc. The data is UNSAFE because a user can put anything in those fields that they want. So, you must always "sanitize" those values to make sure that they don't have SQL injections, e-mail header injections (if putting in e-mail), etc. – Kevin Nelson Nov 13 '14 at 18:02
  • @KevinNelson thanks for the tip! i am going to look in to it. – de boer Nov 13 '14 at 18:03

1 Answers1

3

Use prepared statements:


$stmt = $connection->prepare("INSERT INTO `user` (username,password,email) VALUES(?,?,?)");
$stmt->bind_param("sss", $username, $epassword, $email);
$stmt->execute();
AlexL
  • 1,699
  • 12
  • 20
  • and this is instead of: $query = "INSERT INTO `user` (username, password, email) VALUES ('$username', '$epassword', '$email')"; $result = mysqli_query($connection, $query); ? – de boer Nov 13 '14 at 17:53
  • 1
    Yes. Use that code instead of the one you mentioned. – AlexL Nov 13 '14 at 17:54