0

Is it possible to get SQL Injection with this code:

session_start();
$id = session_id();
$logged=mysqli_fetch_array(mysqli_query($dbbase, "SELECT id,user FROM sess WHERE id='".$id."'"));

Do I need to validate $id variable and escape special characters?

Recently I found something in the php error logs: PHP Warning: session_start(): The session id is too long or contains illegal characters, valid characters are a-z, A-Z, 0-9 and '-,' in ... .

Maybe you have any suggestions how I can prevent that?

rimas
  • 3
  • 5
  • 4
    Make sure your column length is long enough and use parameterized statements to avoid injections, even if it might not seem vulnerable... https://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php?rq=1 – Zeke Dec 02 '17 at 17:23
  • although I'm almost sure user cannot pass random session ID(no, user can pass but it will ignored as non-matching any existing session) the best way to check is to fake session ID through URL parameters or editing cookie. And later check what's going to SQL query. – skyboyer Dec 02 '17 at 17:34
  • skyboyer i have tried to fake session ID. It didn't worked for me. I tried to delete it and leave it empty, and it gave me this error. Tried to place special characters like ' and " - no errors. But still, it never happened for me before. So i was thinking maybe someone is trying to hack the way in through session id cookie. – rimas Dec 02 '17 at 17:42
  • And as Zeke said, i will try to use parameterized statements just in case. Shouldn't do any harm if i would do that? – rimas Dec 02 '17 at 17:46
  • @rimas it will not do harm, it is best practice. Never trust **any** input. – Pocketsand Dec 02 '17 at 17:55

0 Answers0