0

I am creating a web app to allow database creation though, I want to restrict the creation to one database per user , also i have not yet implemented any security at this point my concern is the logic. I will implement security after I have the correct logic. So please give advice on the logic.

  1. I am looking for advice to see how I can improve this script. It is functional and does work at this point.

        //define connection
    $conn = mysqli_connect('localhost', 'root','XXXXX','billing');

    //Variables
    $UserEmail = $_SESSION['email'];
    $MysqlUserDataBaseCreate = $_POST['create_database'];

    //CheckIfUserExists
    $SeeIfUserExist = "SELECT * FROM database_users WHERE email='$UserEmail';";
    $SqlQueryUserCheck = mysqli_query($conn,$SeeIfUserExist);
    $CheckIfRowDataExist = mysqli_num_rows($SqlQueryUserCheck);


    //ToCreateDataBaseAndUser
    if($CheckIfRowDataExist < 1){
      $InsertDataBaseIntel ="INSERT INTO database_users(email,check_if_created) VALUES ('$UserEmail','$MysqlUserDataBaseCreate');";
      mysqli_query($conn,$InsertDataBaseIntel);
      $CreateDataBaseForUser ="CREATE DATABASE $MysqlUserDataBaseCreate ;";
      mysqli_query($conn,$CreateDataBaseForUser);

    }else{
      echo 'you are restrictd to one database';
    }


    ?>
jim
  • 1
  • 5
  • 2
    You shouldn't even have a table per user, let alone a database - just use one table for all users. Also, you should look into [**prepared statements**](http://php.net/manual/en/mysqli.quickstart.prepared-statements.php), as your code is currently **vulnerable** to [**SQL injection**](https://en.wikipedia.org/wiki/SQL_injection). Finally, ensure your DB user only has the [**required privileges**](https://en.wikipedia.org/wiki/Principle_of_least_privilege). You can refer to [**this post**](http://stackoverflow.com/questions/60174) for further information on how to prevent SQL injection in PHP :) – Obsidian Age Jun 28 '18 at 20:46
  • My objective is to create script that could be used for a hosting company. This is why I am allowing the users to create a database. – jim Jun 28 '18 at 20:49
  • Everything about this code is **extremely dangerous**. If you're intending to deploy this you have a lot of work to do to ensure this can't be used maliciously. Security is not something you can bolt on top. It **must** be considered at every single level. – tadman Jun 28 '18 at 22:38
  • I am not intending to use this it is just for practice. – jim Jun 28 '18 at 23:03

0 Answers0