0

So I found My page to be very vulnerable to sql injection attacks, I wish to patch it but a bit confused where to start, Ive done some research and I think I should be using PDO, basically from what I understand I need to be Pre-making my statements and then parsing there input as a string, As this is the first time doing this I would like to make sure I'm going own the right path,

So for example, this statement in my login page php code:

$verify_pass = $dB1->query('SELECT * FROM accounts WHERE account="'.$compte.'" AND pass="'.$pass.'"');

It's to my understanding I should be changing this to 

$verify_pass = $dB1->prepare('SELECT * FROM accounts WHERE account="?" AND pass="?"');          
$stmt->bind_param("sss", $user, $pass);

and then save there input as $user, Would this work to prevent an sql injection attack, I would obviously need to do this for every user input surrounding the database but is this a step in the right direction?

Alex Pryor
  • 23
  • 5
  • Yes, that's will work to prevent injections in your query, however you specify three strings in `bind_param()`, but supply only two, and the rest of the code is missing. For instance, where is `$stmt` coming from? See: https://phpdelusions.net/pdo#prepared – KIKO Software May 01 '20 at 08:33
  • @KIKOSoftware it should be rather https://phpdelusions.net/mysqli_examples/prepared_select as the OP is using mysqli – Your Common Sense May 01 '20 at 08:39
  • @YourCommonSense True, I was slightly mislead by the OP saying "I should be using PDO". Now the OP can choose what to use. Both will prevent SQL-injection. – KIKO Software May 01 '20 at 08:41
  • Thanks for all this info! Yes sorry I didn't specify the language, nor give the entire code but did not want to have to blur out sensitive info on there, That being said, Thanks so much for all your help, I will look into both options! Thanks a bunch guys! – Alex Pryor May 02 '20 at 12:08

0 Answers0