2

I'm just starting to learn PHP (alongside SQL) and I've looked a lot into security measures. This website: https://www.owasp.org/index.php/PHP_Security_Cheat_Sheet has helped me, although most of it is admittedly lost to a beginner like me.

I've found that to prevent an SQL injection the best way to proceed is through prepared and parameterized queries. So I've written my PHP code in PDO.

But I still feel like its not all that secure, especially because I am handling file transfer.

I would appreciate it if any one could look at the methodology of my code to see if there is any immediate security issues with it.

Thanks :)

<?php $servername = "localhost";
$username = "hello";
$password = "world";
$dbname = "file_uploads";

try {
$conn = new PDO("mysql:host=$servername;dbname=$dbname", $username, 
$password);
// set the PDO error mode to exception
$dbConnection->setAttribute(PDO::ATTR_EMULATE_PREPARES, false);
$conn->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);

// prepare sql and bind parameters
$stmt = $conn->prepare("INSERT INTO file_uploads (file, name) VALUES (:file, 
:name");

$stmt->bindParam(':name', $name); 
$stmt->bindParam(':file', $file); 

// from data in an html form
$name=$_POST['name'];
$file=$_POST['file'];

$stmt->execute();

echo "New records created successfully";
}
catch(PDOException $e)
{
echo "Error: " . $e->getMessage();
}
$conn = null;
?>
Idioteque
  • 21
  • 2

1 Answers1

0

But I still feel like its not all that secure, especially because I am handling file transfer.

So, there are two issues being concerned with right now:

  • Are prepared statements enough to stop SQL injection?
  • Is this a safe way to upload files?
    • The code is broken in many ways, but nothing directly security-related jumps out at me.
    • See this guide for handling file uploads. Note that you'll want to use $_FILES not $_POST to process uploaded files.
Scott Arciszewski
  • 33,610
  • 16
  • 89
  • 206