0

by setting a page, to "register" users into a mysql database, and using the following code:

$name = $_POST['name'];
$saltedpwd = md5($definedsalt.$_POST['pwd']);
$email = $_POST['email'];

$query = "INSERT INTO `users` ( `name`, `pwd`, `email` ) VALUES ( '$name', '$saltedpwd', '$email' )";
$insert = mysqli_query($database, $query);

is it vulnerable to any possible SQL injections?

About the email activation code, using this code:

$address = $_GET['email'];

if (isset($_GET['val']) && (strlen($_GET['val']) == 64))
{
$validate = $_GET['val'];
}

if (isset($address) && isset($validate))
{
$query = "UPDATE users SET activated = 'true' WHERE ( email ='$address' AND validate='$val' ) LIMIT 1";
$result_query = mysqli_query($database, $query);

$get_member = ($database, "SELECT name FROM users WHERE email = '$email'");
$query_get = mysqli_fetch_array($get_member);
$validated_name = $query_get['name'];
$insert_validate = "INSERT INTO `member` ( `name` ) VALUES ( '$validated_name' );
$result_insert = mysqli_query($database, $insert_validate);

Is it then vulnerable to any SQL injections? I suppose yes, because I have to retrieve the value from a $_GET request, so I guess them are allowed to put something like: 

page.php?email=address@address.com'SQL_INJECTION'&val=123456asdfghjkl

Am I wrong? If it is actually vulnerable, how do I prevent any injections?

BlackSys
  • 91
  • 7
  • definitely vulnerable, use [prepared statements](http://php.net/manual/en/mysqli.quickstart.prepared-statements.php) – iam-decoder Aug 07 '15 at 23:08
  • Yes, because you're injecting `$_POST['name']` directly into your SQL.... it could contain anything – Mark Baker Aug 07 '15 at 23:15
  • How about adding a "mysqli_real_escape_string" to each of the variables? Peoples can still inject? – BlackSys Aug 07 '15 at 23:16
  • Then actually how do I prevent this? Any example for a "prepared statement" ? I followed the wiki/documentation, but I did not understand very well. Isn't it the same of parsing each variable and eliminate special characters? I mean, if I need to check for an email like "test@test.email" how can actually PHP expect to be receiving a email format, and not something like "UPDATE/SELECT bla bla" ? – BlackSys Aug 07 '15 at 23:19
  • no, it separates execution code from parameters – Drew Aug 07 '15 at 23:20
  • I may probably understand, so it's like, the query is being sent "empty" from variables to the database, then the variables is inserted lately? How could be that possible, I mean, variables and query doesn't have to sent at same time? – BlackSys Aug 07 '15 at 23:22
  • @BlackSys did you click the link *How can I prevent SQL-injection in PHP?* that posted? That should give you quite a good idea. – Script47 Aug 07 '15 at 23:23
  • I'll check now that link – BlackSys Aug 07 '15 at 23:26
  • @BlackSys, "if I need to check for an email like "test@test.email" how can actually PHP expect to be receiving a email format" - you can use regular expressions - check format of every GET variable, disallow 'dangerous' characters...In combination with mysqli_real_escape_string... you could be pretty safe. BUT - prepared statements are easier and faster way to get even better level of security. :) – sinisake Aug 07 '15 at 23:28
  • just to get an example, then the first query would be like this? : $par = $database->prepare('INSERT INTO `users` ( `name`, `pwd`, `email` ) VALUES ( ?, ?, ? ); then this: $par->bind_param('n', $name); $par->bind_param('p', $pwd); $par->bind_param('e', $email); then this one: $par->execute(); is it correct? but, then how PHP knows that the paramenter binded "n" is for the "name" field and not for "email" field, for example? – BlackSys Aug 07 '15 at 23:33

2 Answers2

3

Yes , it is ,

what if user enters the following line as name ?

','',''); ANY_SQL_QUERY_HERE --

then this

$query = "INSERT INTO `users` ( `name`, `pwd`, `email` ) VALUES ( '$name', '$saltedpwd', '$email' )";

becomes

INSERT INTO `users` ( `name`, `pwd`, `email` ) VALUES ( '','',''); ANY_SQL_QUERY_HERE --', '$saltedpwd', '$email' )";

You should NEVER use direct concatenation of strings to query , You must use prepared statements

More about prepared statements - http://php.net/manual/en/pdo.prepared-statements.php

for example , your query could be done like this

$query = "INSERT INTO users (name,pwd,email) VALUES (:name,:pwd,:email)";
$statement = $pdoDatabaseHandle->prepare($query);
$statement->bindValue(':name',$name);
$statement->bindValue(':pwd',$saltedpwd);
$statement->bindValue(':email',$email);
$statement-execute();

Overall SQL Injection is well explained at wikipedia - https://en.wikipedia.org/wiki/SQL_injection

ogres
  • 3,660
  • 1
  • 17
  • 16
0

I suggest looking into prepared statements. You are very susceptible of being attacked because the input isn't validated. Please refer here.

Nathu
  • 262
  • 1
  • 5
  • 23
  • Yeah I got it, however, I'm not understanding something. Like, where exactly is defined all the "functions" like "$conn->connect_error", i mean, is ->connect_error a "standard" parameter used by PHP ? – BlackSys Aug 07 '15 at 23:25
  • Yes, it's a function of mysqli in PHP. Please check it out here. http://php.net/manual/en/mysqli.connect-error.php – Nathu Aug 07 '15 at 23:27
  • But, how about using MSSQL, instead of Mysqli, it's the same? – BlackSys Aug 07 '15 at 23:29
  • Actually, it's somehow similar. If you scroll down on the link of w3school, you will see the PDO prepared statements. PDO supports 12 different drivers for databases. For more information, you can refer here -> http://code.tutsplus.com/tutorials/pdo-vs-mysqli-which-should-you-use--net-24059 – Nathu Aug 07 '15 at 23:40