Preventing SQL Injection: How do I make this query injection proof

Question

New to php & MySQL. Followed a tutorial on Youtube but after messing around a bit I managed to bypass and access my site using admin'# as the username and a blank password. See here.

My code (PHP):

<?php
 $username = "***";
 $password = "****";
 $hostname = "mysql1.000webhost.com";
 $database = "***_login";
 
 $dbhandle = mysql_connect($hostname, $username, $password );
 
 
 $selected = mysql_select_db("a7653250_login", $dbhandle)
   or die("Could not connect to database");
 
 $myusername = $_POST['user'];
 $mypassword = $_POST['pass'];
 
 $myusername = stripslashes($myusername);
 $mypassword = stripslashes($mypassword);
 
 $query = "SELECT * FROM Users WHERE Username='$myusername' and Password='$mypassword'";
 $result = mysql_query ($query) or die(mysql_error());
 $count = mysql_num_rows($result);
 
 if($count==1){
  $seconds = 186400 + time();
 setcookie(loggedin, date("F jS - g:i a"), $seconds);
  header("location:index.php");}
 else{
  header("location:loginfailed.php");
 }
 
 mysql_close()
?>

I've read about using some sort of parameters but I don't know where or how to use them.

Many thanks

Did you know that stackoverflow has a search function ? ;-) http://stackoverflow.com/questions/6379433/mysql-prepared-statements — Marged, Jun 27 '15 at 15:02
Thanks for the link but I'm a bit confused. Can I get an example of what I would do with $query = "SELECT * FROM Users WHERE Username='$myusername' and Password='$mypassword'"; ? Very new to this! All help is really appreciated! — James, Jun 27 '15 at 15:29
This resource should give you enough information and examples to achieve result form http://php.net/manual/en/mysqli.prepare.php — emii, Jun 27 '15 at 16:01

score 2 · Answer 1 · answered Jun 27 '15 at 15:01

2

You should be using PHP PDO library http://php.net/manual/en/book.pdo.php or at least MySQLi http://php.net/manual/en/book.mysqli.php

mysql_ function family is deprecated and insecure by itself

Here you can read about MySQLi prepared statements and parameter binding http://php.net/manual/en/mysqli.quickstart.prepared-statements.php

answered Jun 27 '15 at 15:01

emii

3,794
1
12
13

Is MySQLi included with the MySQL & phpMyAdmin package? I'm using free hosting and can't add or remove anything. – James Jun 27 '15 at 15:33
MySQLi extension is included with PHP 5 and higher, it should be available at 000webhost.com as well. – emii Jun 27 '15 at 15:58

Preventing SQL Injection: How do I make this query injection proof

1 Answers1