How to prevent SQL injections by updating codes

Question

This code is vulnerable to SQL injection. How can I improve it to prevent injections ? And How can I test this code with injections ? This is my code: if (isset ($_POST['name'])) { $name = $_POST['name']; }

if (isset ($_POST['name'])) { 
$name = $_POST['name']; 
} 
if (isset ($_POST['remarcs'])) { 
$remarcs = $_POST['remarcs']; 
} 
if (isset ($_POST['test_res'])) { 
$test_res = $_POST['test_res']; 
} 
if (isset ($_POST['address'])) { 
$address = $_POST['address']; 
} 

if (isset ($_POST['date'])) { 
$date = $_POST['date']; 
} 

if (isset ($_POST['phone_num'])) { 
$phone = $_POST['phone_num']; 
}

if (isset ($_POST['illness'])) { 
$illness = $_POST['illness']; 
} 
if (isset ($_POST['echo'])) { 
$echo = $_POST['echo']; 
} 
if (isset ($_POST['pe'])) { 
$pe = $_POST['pe']; 
} 
if (isset ($_POST['pmhx'])) { 
$pmhx = $_POST['pmhx']; 
} 
if (isset ($_POST['pshx'])) { 
$pshx = $_POST['pshx']; 
} 
if (isset ($_POST['habbits'])) { 
$habbits = $_POST['habbits']; 
} 
if (isset ($_POST['occup'])) { 
$occup = $_POST['occup']; 
} 
if (isset ($_POST['allergy'])) { 
$allergy = $_POST['allergy']; 
} 

//Check file is uploaded or not 
//if (isset($_FILES['file']['name']) && $_FILES['file']['name']!='' && $_FILES['file']['error']=='') {
//$path2 = ... ; 
//move_uploaded_file(...);
if(is_uploaded_file($_FILES["file"]["tmp_name"]))
{
    $path = "../uploads/".$_FILES['file']['name'];
    move_uploaded_file($_FILES["file"]["tmp_name"], $path);
        $new_path = "./uploads/".$path;

}
else{
    $new_path = $_POST['org_path'];
//$path2 = "../uploads/".$_FILES['echo_photo']['name']; 
}
//move_uploaded_file($_FILES["file"]["tmp_name"], $path);
//$new_path = $path; 
$sql="UPDATE $tbl_name SET  
name = '$name', 
echo_files = '$new_path', 
remarcs = '$remarcs',
test_res = '$test_res', 
date = '$date', 
address = '$address', 
phone_num = '$phone',
illness = '$illness',
echo = '$echo', 
pmhx = '$pmhx', 
pshx = '$pshx', 
habbits = '$habbits', 
occup = '$occup', 
allergy = '$allergy',
pe = '$pe'
WHERE id = ".$id; 

$result=mysqli_query($con,$sql) or die('Unable to execute query. '. mysqli_error($con));

Harikrishnan · Answer 1 · 2015-11-06T06:30:06.763

0

1) You can use Prepared Statements

A prepared statement or a parameterised statement is used to execute statement securely with high efficiency. Eg:PDO

2) For advanced hardening techniques you may refer OWASP SQL Injection Prevention

edited Nov 06 '15 at 06:30

answered Nov 06 '15 at 05:59

Harikrishnan

9,688
11
84
127

score 0 · Answer 2 · answered Nov 06 '15 at 06:15

It's my suggestion. Use regex to check variable values.

For example

If a field expects integer, check it whether it's a integer(only integer).

If it is a string check it whether it's only alphanumeric.

If you upload files to your server don't give it execute permission.

Check the length of values.

Use addslashes to escape single quotes.

Use mysqli_real_escape_string.

Use mysqli prepared statements Use htmlentities

Overall allow the variable to contain only what you think it should contain.

etc..

After all these things only you should consider a variable in your sql query.

How to prevent SQL injections by updating codes

2 Answers2

Linked