Am I safe from SQL Injection by using a stored procedure instead of query?

Question

Newbie here. I've been taking a look at how SQLSVR makes use of prepared statements to protect against injections, but what they are protecting against are usually the queries themselves instead of something like a stored procedure. Am I somewhat safe from this with my current code?

I've been trying to understand the PHP manual here: https://www.php.net/manual/en/function.sqlsrv-query.php but I'm not exactly sure how this would look because I'm using a stored procedure.

Thank you for your time to read this and guidance.

<?php 
include('config.php');
$mysqli = sqlsrv_connect($serverName, $conn_array);

// For error or success messages place the following functions in your functions.php file and include the file here.
// The following functions are based on bootstrap classes for error and success message. If you are not using bootstrap you can stylize your own.

function alertSuccess($msg){
  $alert = "<div class='alert alert-success'>".$msg."</div>";
  return $alert;
}

function alertError($msg){
  $alert = "<div class='alert alert-danger'>".$msg."</div>";
  return $alert;
}

function alertInfo($msg){
  $alert = "<div class='alert alert-info'>".$msg."</div>";
  return $alert;
}


// Storing Form Inputs
$username = ($_POST['username']);
$email = ($_POST['email']);
$region =($_POST['region']);
$password = (!empty($_POST['password']))?$_POST['password']:null;
$password2 = (!empty($_POST['confirmpassword']))?$_POST['confirmpassword']:null;

if(isset($_POST['register'])) {
  // Set "Creating Account" message. 
  echo alertInfo("Attempting to initiate Account Creation...");

  // If username is null then rest of the code will not be executed
  if($username == null){
    echo alertError("Invalid username!");
    header("Location: failed.php");
    exit();
  }

  // If password is not equal then rest of the code will not be executed
  if($password != $password2){
    echo alertError("Password mismatch");
    header("Location: failed.php");
    exit();
  }

  // If username is less than 6 characters long then rest of the code will not be executed
  if(strlen($username) < 6){
    echo alertError("Username must contain at least 6 characters.");
    header("Location: failed.php");
    exit();
  }

  if($region > 2){
    echo alertError("Invalid Region.");
    header("Location: failed.php");
    exit();
  }

  // All checks done already (including password check). Now process the query.
  $password = $password;
  $sql = "SET ANSI_NULLS ON
          SET QUOTED_IDENTIFIER ON
          SET CONCAT_NULL_YIELDS_NULL ON
          SET ANSI_WARNINGS ON
          SET ANSI_PADDING ON
          exec membership.dbo.CreateAccount '$username','$password','$email', '$region'
          ";
          
  if(sqlsrv_query($mysqli, $sql)){
    echo alertSuccess("Registration Successful! Please wait....");
    header("Location: info.php");
    exit();
  }else{
    echo alertError("Sorry, something went wrong! Please refresh the page and try again.");
  }
}

Does this answer your question? [How can I prevent SQL injection in PHP?](https://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php) — Dharman, Jun 27 '20 at 12:40

score 1 · Accepted Answer · answered Jun 27 '20 at 08:40

1

After digging a bit. The answer is no and stored procedures are not safe if they utilize dynamic SQL.

I was able to utilize prepared statements by reading the manual a couple thousand times.

answered Jun 27 '20 at 08:40

Pon

57
6

Am I safe from SQL Injection by using a stored procedure instead of query?

1 Answers1