0

I've source code and try to replace asterisk to patch SQL Injection here is the code : 

$search = str_replace ("*", "", $search);
$rows = mysqli_query ($conn, "SELECT * FROM users WHERE username=/*" . $search . "*/ 'Aaron'", MYSQLI_USE_RESULT);

Is it possible to exploit when the variable put in the C-style comment MySQL ?

Aaron
  • 75
  • 8
  • 3
    Why do you need to do this? Just use query parameters, don't use string-concatenation. You don't need to ask if there's any way to exploit query parameters. – Bill Karwin Dec 15 '19 at 04:08
  • See https://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php for examples of using query parameters in PHP. I won't vote to close your question as a duplicate, though, because you asked a different question. – Bill Karwin Dec 15 '19 at 04:09

1 Answers1

0

First of all, if you are worried about SQL-Injection then you should filter any input from your user and validate it.

The best protection is done with prepared statements. Like this:

<?php
/** Open DB-Connection */
$pdo = new PDO('mysql:host=localhost;dbname=test', 'username', 'password');

$firstname = "John";
$lastname = "Smith";
$email = "info@youremail.com";

/** Your SQL-Statement */
$statement = $pdo->prepare("SELECT * FROM users WHERE firstname = :firstname OR lastname = :lastname OR email = :email");

/** Fills the parameter */
$statement->execute(array('firstname' => $firstname, 'lastname' => $lastname, 'email' => $email));   

?>

Your attempt to replace the * will not work. C-style comments are vulnerable to exploits. If a hacker will send "*" as a UTF-encoded sign for example, he might be sending (encoded) this:

(USERNAME 1ST LINE, PASSWORD 2ND LINE).

attacker', 1, /*
*/'pwd
Cedrix
  • 36
  • 3