If I have a session variable $_SESSION['username'], and usernames can only contain letters, numbers, underscores and hyphens, and I put it directly into SQL, is this vulnerable at all to injection?
$sessionUsername = $_SESSION['username'];
SELECT x FROM y WHERE z='$sessionUsername'
Session variables can be changed from outside, so yes that's a risk. There's several ways to overcome this risk, on thing is that you can use prepared statements which is recommended. Or you could use filter_var to sort out potential threads, but definitely prepared statements is recommended.
Example of prepared statements. Not tested but should be fine.
<?php
$dataFromDb = array();
$conn = new mysqli('HOST', 'USER', 'PASS', 'DATABASE');
$query = "SELECT x FROM y WHERE z = ?";
if ($stmt = $conn->prepare($query)) {
$stmt->bind_param('s', $_SESSION['username']);
$stmt->execute();
$result = $stmt->get_result();
while ($results = $result->fetch_array(MYSQLI_ASSOC)) {
$dataFromDb[] = $results;
}
}
