0

I was wondering Is this code safe form SQL injection and other types of exploits? If it is safe can anyone explain it to me how? And if isn't can anyone make corrections

<?php     
$servername = "localhost";       
$username = "root";    
 $password = "";    
 $dbname = "form";    

//Requesting values form form.html    
$a = $_REQUEST['fname'];    
$b = $_REQUEST['lname'];    
$c = $_REQUEST['email'];    

// Create connection    
 $conn = new mysqli($servername, $username, $password, $dbname);     
// Check connection     
if ($conn->connect_error) {    
    die("Connection failed: " .$conn->connect_error);    
 } 

// prepare and bind     
$stmt = $conn->prepare ("INSERT INTO my_db (fname, lname, email)    
  VALUES (?, ?, ?)");    
 $stmt->bind_param("sss",$a,$b,$c);    

$stmt->execute();    

echo "new record created successfully";    

$stmt->close();    
 $conn->close();     
?>
Prajwol Shrestha
  • 11
  • 4
  • Yes, it can be said that it's safe from at least mysql injection. Reason: The query is executed in such a way that the user input isn't directly entered into the mysql query. But I suggest you to google down for more info. – Sanu_012 Jul 22 '18 at 10:53
  • Is it unsafe from other kinds of attacks? – Prajwol Shrestha Jul 22 '18 at 11:01
  • 1
    No answer from you. @Adi219 – revo Jul 22 '18 at 11:18
  • @revo I deleted my answer as it received two downvotes and someone who appears to be an expert at SQL told me that my approach wouldn't work (as the parameters are binded) – Adi219 Jul 22 '18 at 11:19
  • Yes, it is unsafe from XSS type attack. – Sanu_012 Jul 22 '18 at 11:20
  • 3
    I'm voting to close this question as off-topic because it is asking for a code review (and this thus too broad / opinion based). It could probably be adjusted to be on topic for [the code review stackexchange](http://codereview.stackexchange.com/help/on-topic). – Quentin Jul 22 '18 at 11:21
  • @Sanu_012 — Nonsense. The only thing it outputs is a hardcoded string. It is immune to XSS. – Quentin Jul 22 '18 at 11:22
  • @Sanu_012 you cannot judge XSS from this code. XSS can be protected by output sanitizing. – Jacob Jul 22 '18 at 11:24
  • @Adi219 I always give reason when down-voting, but unfortunately not everyone do that. – Jacob Jul 22 '18 at 11:33

1 Answers1

-2

Yes, it's safe from SQL Injection, but it can be still improved security wise.

SQL Injection is when you concatenate sql query with user parameters, this gives malicious user a chance to inject data or perform dangerous actions in your database.

Assuming you have a code: 

$query = 'select * from user where id = ' + $_GET['id'];

Now assume a hacker send the id param as 1 or 1 = 1, so your query becomes 

select * from user where id = 1 or 1 = 1

This will return all users.There are also other ways to inject

Since you are using prepared statement and bind all parameters, it's not possible to concatenate sql query.

Security wise,

  • your code accept $_REQUEST, this includes both GET and POST. This is not a good practice. You should restrict CRUD to POST only.
  • You are using root (even in develop environment, you shouldn't use root)
Jacob
  • 1,776
  • 14
  • 11