Question about sanitize and sql injection in php

Question

I am trying to build an application that detect if user's input(first 20 byte) exist on my database.

But I am stuck at sanitizing and making placeholder to it. Especially, this part $stmt->execute(), any advise and recommendation will be appreciated!

<?php
    echo <<<_END
            <form method='post' action='test.php' enctype='multipart/form-data' >
                Tester: <input type='file' name='uploadfile'>
                <input type='submit'>
            </form>
    _END;

    if($_FILES){
        require_once 'login.php';
        if (!$conn) {
            die(mysql_fatal_error());
          }
        $type = $_FILES['uploadfile']['type'];
        if($type == "text/plain"){
            $name = $_FILES['uploadfile']['name'];
            $fh = fopen($name, 'r') or die("File Does not exist");
            $content = file_get_contents($name, FALSE, NULL, 0, 20);
            $content = sanitizeMySQL($conn, $content);
            fclose($fh);
            $stmt = $conn->prepare("SELECT * FROM storage WHERE mydata like ?");
            $stmt->bind_param("s", $content);
            $stmt->execute();
            //$stmt->bind_result($content);
            if (!$stmt) {
                echo "Not Exist";
            } else {
                    echo "Exist";
            }
        } else {
            echo  "txt only <br>";
        }
}

I am trying to implement the part where I can print Not exist when input text file does not exist on my database, but I am trying to figure how it can safely be implemented — Happydoodle Pa, Apr 23 '20 at 23:59
This one's for PDO but the approach is the same for MySQLi ~ https://stackoverflow.com/questions/2722136/mysql-pdo-how-to-bind-like — Phil, Apr 24 '20 at 00:12
If you're just getting started with PHP and want to build applications, I'd strongly recommend looking at various [development frameworks](https://www.cloudways.com/blog/best-php-frameworks/) to see if you can find one that fits your style and needs. They come in various flavors from lightweight like [Fat-Free Framework](https://fatfreeframework.com/) to far more comprehensive like [Laravel](http://laravel.com/). These give you concrete examples to work from and guidance on how to write your code and organize your project's files. — tadman, Apr 24 '20 at 01:45
There's no need to sanitize anything here. There is no such thing as input sanitization. Forget about it. — Dharman, Apr 25 '20 at 11:18
Does this answer your question? [How can I sanitize user input with PHP?](https://stackoverflow.com/questions/129677/how-can-i-sanitize-user-input-with-php) — Dharman, Apr 25 '20 at 11:19
Your question is not about SQL injection, but about fetching the data from the mysqli statement. — Dharman, Apr 25 '20 at 11:26

score 0 · Answer 1 · edited Jun 20 '20 at 09:12

This section of your code is already sanitising your input.

$stmt = $conn->prepare("SELECT * FROM storage WHERE mydata like ?");
$stmt->bind_param("s", $content);
$stmt->execute();

The first line lays out your sql query with parameters.

$stmt = $conn->prepare("SELECT * FROM storage WHERE mydata like ?");

The second line escapes any dangerous characters in the user input (i.e. in $content), and binds it to the position of the ? in your query in the line above.

$stmt->bind_param("s", $content);

The third line runs the query you created with the parameters you bound.

$stmt->execute();

An insecure method of doing this would look like this:

$stmt = $conn->prepare("SELECT * FROM storage WHERE mydata like '$content'");

If a user were to submit content which looked like this '; drop * from storage;//, then the resulting query would be:

SELECT * FROM storage WHERE mydata like ''; drop * from storage;//'

This would end up deleting all the data in your mydata table in your database.

`bind_param()` does not escape anything. It passes the values as is to MySQL when the statement is executed. — Dharman, Apr 25 '20 at 11:19

Question about sanitize and sql injection in php

1 Answers1

An insecure method of doing this would look like this: