-1

I have a web game which through an AJAX request accesses the php file below to save user's score to the database. How secure is this approach? In what way could someone hack this?

<?php
$db = "db name";//Your database name
$dbu = "db username";//Your database username
$dbp = "db user pass";//Your database users' password
$host = "localhost";//MySQL server - usually localhost

$dblink = mysql_connect($host,$dbu,$dbp);
$seldb = mysql_select_db($db);

if(isset($_GET['name']) && isset($_GET['score']))
{
    //Lightly sanitize the GET's to prevent SQL injections and possible XSS attacks
    $name = strip_tags(mysql_real_escape_string($_GET['name']));
    $score = strip_tags(mysql_real_escape_string($_GET['score']));
    $sql = mysql_query("INSERT INTO `$db`.`scores` (`id`,`name`,`score`) VALUES ('','$name','$score');");

    if($sql)
    {
      echo 'Your score was saved. Congrats!';
    }
    else
    {
      echo 'There was a problem saving your score. Please try again later.';
    }
     
}
else
{
     echo 'Your name or score wasnt passed in the request. Make sure you add ?name=NAME_HERE&score=1337 to the tags.';
}

mysql_close($dblink); //Close off the MySQL connection to save resources.
?>
JeFawk
  • 79
  • 9
  • 2
    `strip_tags` has no use here, that's only relevant on display. It doesn't protect from XSS at all here. That content isn't put into an HTML context. Also since you're using `mysql_query`, an interface so notoriously awful it was deleted from PHP permanently, this code is not in any way "secure". – tadman Dec 02 '20 at 02:37
  • 1
    If you're just getting started with PHP and want to build applications, I'd strongly recommend looking at various [development frameworks](https://www.cloudways.com/blog/best-php-frameworks/) to see if you can find one that fits your style and needs. They come in various flavors from lightweight like [Fat-Free Framework](https://fatfreeframework.com/) to far more comprehensive like [Laravel](http://laravel.com/). These give you concrete examples to work from and guidance on how to write your code and organize your project's files. – tadman Dec 02 '20 at 02:38
  • 2
    **WARNING**: Do not use the obsolete [`mysql_query`](http://php.net/manual/en/function.mysql-query.php) interface which was removed in PHP 7. A replacement like [PDO is not hard to learn](https://phpdelusions.net/pdo) and a guide like [PHP The Right Way](http://www.phptherightway.com/) helps explain best practices. Here parameters are **NOT** [properly escaped](http://bobby-tables.com/php) and this has severe [SQL injection bugs](http://bobby-tables.com/) in this code. Escape **any** and all user data, especially from `$_POST` or `$_GET`. – tadman Dec 02 '20 at 02:38
  • Does this answer your question? [How can I prevent SQL injection in PHP?](https://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php) – Dharman Dec 02 '20 at 11:00

1 Answers1

1

The code you have written is not at all secure check for XSS, SQL injection namely, also you are using deprecated function to interact with the DB.

If you are thinking of taking this to production, you should have some PHP framework which will ease out most of the things for you, there are so many frameworks out there & fairly easy to implement like in a day or two.

Choose From Here

ajitpawarink
  • 436
  • 6
  • 14