0

I want to know if my code is 100% secure agasint SQL injection, it looks like this:

$table = $_GET['table'];
switch ($table) {
case 'data':
    $sql = "select * from $table";
    break;
case 'anothertable':
    $sql = "select * from $table";
    break; 
}
$con = new mysqli($hostname,$username,$password,$db_name);
$result = $con->query($sql);
Toby Speight
  • 27,591
  • 48
  • 66
  • 103
Luis
  • 31
  • 6
  • No this is definitely not safe. – Daan Apr 21 '16 at 08:51
  • Possible duplicate of [How can I prevent SQL-injection in PHP?](http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php) – Epodax Apr 21 '16 at 08:52

3 Answers3

1

If $table is not matched by the switch, you haven't set $sql at all...

Otherwise, you have avoided the risk of injecting bad things via $table by whitelisting the acceptable table names.

One point I would make is that one has to read quite closely to see that $table has changed from an untrusted input to a validated table name. So anyone coming to your code in future may think

  1. that you have a problem here that needs fixing, or
  2. that interpolating variables into SQL queries is generally acceptable.

So probably worth going out of your way to explain in comments what you're doing, and (more importantly) why.

Toby Speight
  • 27,591
  • 48
  • 66
  • 103
0

In your place I would avoid such a dynamical querying based on the user input, as it smells of a bad application design,

But in regard of SQL injection your code is safe, as it's rightfully implementing the only proper strategy possible - the whitelisting.

Your Common Sense
  • 156,878
  • 40
  • 214
  • 345
  • I think the same as you, whitelisting must avoid sql injections but I want to be sure and if I would add prepared statements – Luis Apr 21 '16 at 09:25
  • prepared statements could help only with string and numeric literals. You are using none, thus prepared statements are inapplicable in your case at all. – Your Common Sense Apr 21 '16 at 09:31
-2

Your code is not safe. Here is an example of how you would make it safe with MySQL (PDO). I'm doing it in PDO because that is what I use often and not mysqli :)

$table = $_GET['table'];

$valid_command = FALSE;//value becomes true if you find your
//value in the following if conditional

if (($table==='table')||($table==='anothertable'))
{
  $valid_command = TRUE;
}

if ($valid_command)
{
  $sql = "SELECT * FROM table";
  $sqlPrepared = $conn->prepare($sql);
  $sqlPrepared->bindParam(':table', $table);
  $sqlPrepared->execute();
}

If you wish to do this in mysqli, it is easy to adapt it. Hope that helps.

Webeng
  • 7,050
  • 4
  • 31
  • 59
  • 2
    this answer is irrelevant ot the question *and* wrong by iteslf. – Your Common Sense Apr 21 '16 at 09:13
  • @YourCommonSense Why is it irrelevant? I answered that his code is not safe and followed up with a solution to making it safe. Also, please let me know what is wrong with my code, as I always am open to constructive criticism. – Webeng Apr 21 '16 at 09:19
  • 1
    Could you give me an example injecting SQL commands to my code? – Luis Apr 21 '16 at 09:21
  • How is his code not safe and why you consider your (incorrect code) safer? – Your Common Sense Apr 21 '16 at 09:22
  • @YourCommonSense Well first his code code as it stands would break in the situation that $table is neither 'table' nor 'anothertable' given that no value is being placed in $sql. Could I know where my code is wrong though? Typo our something logic in the code? – Webeng Apr 21 '16 at 09:28
  • @YourCommonSense and there is no point being rude. I was asking for constructive critisicm which I do appreciate. If you want to have a nice discussion then I'm all for it, but if you are looking for a negative argument I would rather pass. – Webeng Apr 21 '16 at 09:29