SQL Injection Indication and Solution

Question

Hi I am developing a website starting from the template Metronic (HTML Template Boiler) that uses Bootstrap.

People say that this code have risk SQL injection.

Can you tell me where is code section bad and how can I fix it?

    <div class="container main">

    <div class="main_pad">


        <?php
            if(isset($_GET['ID'])) {        
                $arrayResult = array();                         
                $query = $dbConnect->query("
                                                                        SELECT 
                                                                                    designers.ID AS ID_designer,
                                                                                    designers.nome AS nome_designer,
                                                                                    designers.immagine AS immagine_designer,
                                                                                    designers.testo_IT AS testo_IT_designer,
                                                                                    designers.testo_EN AS testo_EN_designer,
                                                                                    designers.website AS website_designer,
                                                                                    designers.ID_linea AS ID_linea_designer                                                                                             
                                                                        FROM
                                                                                    designers
                                                                        WHERE
                                                                                    ID = '" . $_GET['ID'] . "'
                                                                    ");     
                $result = $dbConnect->extractObject($query);
                if(count($result)>0) {
                    for($i=0;$i<count($result);$i++) {
                        $fileParts = pathinfo($result[$i]->immagine_designer);
                        $basename = substr($fileParts['filename'], 0, -4);                              
                        $arrayResult = array(
                                                                    $result[$i]->ID_designer, // 0
                                                                    utf8_encode($result[$i]->nome_designer), // 1
                                                                    $basename . '_640.' . $fileParts['extension'], // 2
                                                                    utf8_encode($result[$i]->testo_IT_designer), // 3
                                                                    utf8_encode($result[$i]->testo_EN_designer), // 4
                                                                    $result[$i]->website_designer, // 5
                                                                    $result[$i]->ID_linea_designer // 6
                                                                );
                    }
                }           

            ?>
            <div class="col-lg-6 designer">
                <a href="designers.php"><img src="images/left-arrow.png"></a>
                <h1><?php echo $arrayResult[1]; ?></h1>     
                <ul class="top-nav nav-tabs" id="specs" role="tablist">
                    <li class="active">
                        <a href="#bio"><?php echo $_SESSION['langPref']=='ENG' ? "BIO" : 'BIOGRAFIA'; ?></a>
                    </li>
                    <li>
                        <a href="#products"><?php echo $_SESSION['langPref']=='ENG' ? "PRODUCTS" : 'PRODOTTI'; ?></a>
                    </li>
                </ul>       
                <div class="tab-content">
                    <div class="tab-pane active" id="bio">
                        <div class="row">
                            <div class="col-lg-12">
                                <p style="margin-top: 20px;">
                                    <?php 
                                        switch($_SESSION['langPref']){
                                            default :
                                            case 'ENG' :
                                                echo $arrayResult[4];
                                            break;
                                            case 'IT' :
                                                echo $arrayResult[3];
                                            break;
                                        } 
                                    ?>                              
                                </p>
                            </div>
                        </div>
                    </div>                  
                    <div class="tab-pane" id="products">
                        <div class="row">
                            <div class="col-lg-12">
                                <?php

                                    $arrayLinesList = array();
                                    foreach(explode(',', $arrayResult[6]) as $lines => $line) {
                                        $arrayLinesList[] = '"' . $line . '",';
                                    }

                                    $query = $dbConnect->query("
                                                                                            SELECT 
                                                                                                        *                                                                                           
                                                                                            FROM
                                                                                                        prodotti
                                                                                            WHERE
                                                                                                        prodotti.ID_linea IN (" . substr(implode('', $arrayLinesList), 0, -1) . ")
                                                                                        "); 
                                    $result = $dbConnect->extractObject($query);


                                    if(count($result)>0) {
                                        echo '<ul style="margin-top: 20px;">';
                                            for($i=0;$i<count($result);$i++) {  
                                                    $co = '';                               
                                                    if($result[$i]->ID == 58){
                                                            $co = '(Claudio Dondoli)';
                                                    }elseif($result[$i]->ID == 53 && $_GET['ID'] == 19 || $result[$i]->ID == 40 && $_GET['ID'] == 19 || $result[$i]->ID == 41 && $_GET['ID'] == 19 || $result[$i]->ID == 62 && $_GET['ID'] == 19 || $result[$i]->ID == 63 && $_GET['ID'] == 19) {
                                                        $co = '(with Gianfranco Gualtierotti)';
                                                    }elseif($result[$i]->ID == 53 && $_GET['ID'] == 7 || $result[$i]->ID == 40 && $_GET['ID'] == 7 || $result[$i]->ID == 41 && $_GET['ID'] == 7 || $result[$i]->ID == 62 && $_GET['ID'] == 7 || $result[$i]->ID == 63 && $_GET['ID'] == 7) {
                                                        $co = '(with Giancarlo Vegni)';
                                                    }elseif($result[$i]->ID == 26 && $_GET['ID'] == 10 || $result[$i]->ID == 27 && $_GET['ID'] == 10 || $result[$i]->ID == 28 && $_GET['ID'] == 10 || $result[$i]->ID == 29 && $_GET['ID'] == 10 || $result[$i]->ID == 61 && $_GET['ID'] == 10) {
                                                        $co = '(with Patricia Urquiola)';
                                                    }elseif($result[$i]->ID == 26 && $_GET['ID'] == 18 || $result[$i]->ID == 27 && $_GET['ID'] == 18 || $result[$i]->ID == 28 && $_GET['ID'] == 18 || $result[$i]->ID == 29 && $_GET['ID'] == 18 || $result[$i]->ID == 61 && $_GET['ID'] == 18) {   
                                                        $co = '(with Sung Sook Kim)';
                                                    }   
                                                echo '<li><a href="product.php?ID=' . $result[$i]->ID . '">' . utf8_encode($arrayLines[$result[$i]->ID_linea][0])  .'&nbsp'. $result[$i]->nome .'</a> &nbsp' . ($co) .'</li>';

                                            }
                                        echo '</ul>';
                                    } else {
                                        echo '<p style="margin-top: 20px;">This designer has no products listed here!</p>';
                                    }
                                ?>
                            </div>
                        </div>
                    </div>
                </div>              
            </div><!-- /.left_cont -->
            <div class="col-lg-6 right_cont">
                <img src="admin/assets/admin/layout/img/designers/<?php echo $arrayResult[2]; ?>" class="img-responsive" />
            </div><!-- /.right_cont -->

        <?php 
            } 
        ?>

Answer 1

possible injection in

WHERE ID = '" . $_GET['ID'] . "'

for example if $_GET['ID'] = "' or 1 = 1"

solution: use parametrized queries.

Answer 2

One problem (not read all the code) is building sql statements directly from user input (for example get or post data)

In your code you have

WHERE ID = '" . $_GET['ID'] . "'

You should use prepared statements - read How can I prevent SQL injection in PHP?

Answer 3

if ur using PDO then be sure to use:

WHERE `id`=:id

and then use like:

$stmnt = $dbConnect->prepare($sql);
$stmnt->execute(Array(":id"=>$_GET['id']));

also if you want to protect from higher levels search up the magic quotes liberary, that should help you a bit ;)