Sql injection on a php code

Question

Hello guys the below given php code is mine i need to know it is vulnerable or not

$sql = "select Email,Password       from user where Email='$emailid'";
$ctr=0;         
    try
    {
       $result = $con->query($sql);
       foreach($result as $row)
       {            
     $ctr++;
     $pword = $row['Password'];

    }
   }
catch(PDOException $e)
  {
      $errTyp = "danger";
    $errMSG = "Something went  wrong, try again later...";
  }

if($ctr == 0)
{
$errTyp = "danger";
$errMSG = "Invalid Username |  Password";
}

else
{
 if( $pword==$password ) {
          $_SESSION['Id']=$emailid;

Here is my php login page code Just to confirm, how vulnerable is the above code to sql injection?

Use PDO::prepare() instead of PDO::query() and use placeholders in the query. — Qirel, Dec 16 '16 at 11:42

score 0 · Answer 1 · answered Dec 16 '16 at 11:43

0

Simple,

 $sql = "select Email,Password from user where Email='$emailid'";

If $emailid could be,

  $emailid = 'or 1=1';

Injection,

 $sql = "select Email,Password from user where Email=''or 1=1";

It will return the first record of your database.

So attack will happen !

answered Dec 16 '16 at 11:43

Shankar Thiyagaraajan

1,705
4
28
46

you mean `$emailid = '\' or 1=1';` – Federkun Dec 16 '16 at 11:45
yah, if $emailid comes from direct user's INPUT, It could be happened ! – Shankar Thiyagaraajan Dec 16 '16 at 11:46

score 0 · Answer 2 · answered Dec 16 '16 at 11:44

I see that the main problem could be the origin of the $emailid

Email='$emailid'"

You can't trust in the data sent from client($_POST,$_GET). That's a main principle in security. So if you have Sanitize/Filtered the POST variables you should be ok. If not you should at least use Prepared statements

http://php.net/manual/en/pdo.prepare.php

Sql injection on a php code

2 Answers2