-2

I have been given a project to complete, in the backend there are SQL statements doing various things, as you'd expect.

In the past I have used PDO to construct SQL queries that use parameterisation to avoid injection attacks.

Whilst reading through the code I noticed many queries in the form of:

$sql = "SELECT * FROM detail WHERE email ='$email'";
$query = mysqli_query($dbcon, $sql);

With no parameterisation or cleaning of input.

Is this type of query vulnerable, should there not be some form of parameterisation and more importantly should I explain the risks involved as it seems the developer was unaware of the risk.

chris85
  • 23,846
  • 7
  • 34
  • 51
Jesse Luke Orange
  • 1,949
  • 3
  • 29
  • 71
  • 1
    *Is this type of query vulnerable* Yes, *should there not be some form of parameterisation?* Yes. But you can achive it with mysqli. you must not Change to PDO – Jens Aug 16 '17 at 12:28
  • You can achieve what you want with mysqli, but IMHO, PDO is easier to use than `MySQLi_*` – GrumpyCrouton Aug 16 '17 at 12:50
  • Your code has `mysqli` connections and `PDO` connections? – chris85 Aug 16 '17 at 12:59

1 Answers1

2

Yes it is,

But you can use this with mysqli : http://php.net/manual/en/mysqli.prepare.php

So with your data it will be like : 

$prepare = $dbcon->prepare("SELECT * FROM detail WHERE email = ?");
$prepare->bind_param("s", $email);
$prepare->execute();
Funk Forty Niner
  • 74,450
  • 15
  • 68
  • 141
Thibault Dumas
  • 1,060
  • 2
  • 10
  • 21