0

I'm making a forum in php and MySql, so I need to insert and select data from my data base. I'm using mysqli to connect to my db. Something like this:

$link=mysqli_connect("fake_server", "fake_user", "fake_pass", "fake_db");

$user=mysqli_real_escape_string($link, $_POST['user']);
$pass=hash("sha256", mysqli_real_escape_string($link, $_POST['pass']));

$combo=mysqli_fetch_array(mysqli_query($link, "SELECT 1 FROM users WHERE user='$user' AND pwd='$pass'"));
if($combo==0){
        // ERROR
} else {
        // CORRECT
}
mysqli_close($link);

The problem is the next one: Everybody say that mysqli_real_escape_string() is MUCH better than addslashes() for insert, but I want users can use single and double quotes in their topics. Myqsli_real_escape_string() removes them but addslashes() doesn't. What can I do in this context?

Zombo
  • 1
  • 62
  • 391
  • 407
jlxip
  • 125
  • 1
  • 12

2 Answers2

1

You should use prepared statements, http://php.net/manual/en/mysqli.quickstart.prepared-statements.php. In the future please provide your code in your question. Here's how you can use your current code with prepared statements:

$link=mysqli_connect("fake_server", "fake_user", "fake_pass", "fake_db");
$user=$_POST['user'];
$pass=hash("sha256", $_POST['pass']); 
$stmt = $link->prepare("SELECT 1 FROM users WHERE user = ? AND pwd = ?");
$stmt->bind_param("ss", $user, $pass);
$combo=mysqli_fetch_array($stmt->execute());
if($combo==0){
        // ERROR
} else {
        // CORRECT
}
mysqli_close($link);

Further reading on the topic:
How can I prevent SQL injection in PHP?
mysqli or PDO - what are the pros and cons?
https://www.owasp.org/index.php/SQL_Injection_Prevention_Cheat_Sheet#Defense_Option_1:_Prepared_Statements_.28Parameterized_Queries.29
http://php.net/manual/en/mysqlinfo.api.choosing.php

Community
  • 1
  • 1
chris85
  • 23,846
  • 7
  • 34
  • 51
  • But, connecting to the db by mysqli* although using PDO queries is also good for protecting against injections or is more secure connecting by PDO? – jlxip Aug 04 '15 at 08:56
  • They both can use parameterized queries and I haven't heard an argument for one over the other. I'll update answer with additional links on the topic. – chris85 Aug 04 '15 at 12:34
0

Use a parameterized query with PDO and forget worrying about escaping your queries.

Edit

Your test code:

$link=mysqli_connect("fake_server", "fake_user", "fake_pass", "fake_db");

$user=mysqli_real_escape_string($link, $_POST['user']);
$pass=hash("sha256", mysqli_real_escape_string($link, $_POST['pass']));

$combo=mysqli_fetch_array(mysqli_query($link, "SELECT 1 FROM users WHERE user='$user' AND pwd='$pass'"));
if($combo==0){
        // ERROR
} else {
        // CORRECT
}
mysqli_close($link);

The PDO version:

$pdo = new PDO('mysql:host=fake_server;dbname=fake_db', 'fake_user', 'fake_pass');

$query = $pdo->prepare("SELECT 1 FROM users WHERE user='?' AND pwd='?'");
$query->execute(array($_POST('user'), hash('sha256', $_POST('pass')));

if ($combo = $query->fetch ()) {
  // CORRECT
  // $combo would contain an array containing your select fields
} else {
  // ERROR
}
Parris Varney
  • 11,320
  • 12
  • 47
  • 76