0

I recently did a ZAP report on my project, and there was a high alert saying SQL Injection may be possible through Foldable' AND '1'='1' attack on this particular drop-down menu 'bsearch'. I would like to know if it is possible to solve this issue through Prepared Statement and how do I do it? Thank you.

This is my SQL (PHP)

        $filter = "";
        if(isset($_POST['bsearch']))
        {
            $mod_selected = $_POST['bsearch'];
            $filter = " WHERE catename ='$mod_selected'";
        }
    
        $conn = mysqli_connect('localhost','root','','my_db');
    
        $productsql = "SELECT DISTINCT catename FROM catetable";
        $model_list = mysqli_query($conn,$productsql);
        
        mysqli_close($conn);

And this the drop-down menu form.

    <section class = "content feature">
        <section id="featurepage">
            <article id="featurenav">
                <h1>
                    Category
                </h1>
                <form name = "bikeoption" id = "bikeoption" method = "post">
                    <p id = "searchlabel">
                        Select Bike Category: &nbsp;
                    </p>
                    <select name="bsearch" id="bsearch">
                        <?php while ($one_model= mysqli_fetch_assoc($model_list)  ) { ?> 
                        
                        <option value="<?php echo $one_model['catename']; ?>">
                            <?php echo $one_model['catename']; ?>
                            
                        </option>
                    <?php } ?>
                    </select>
                      &nbsp;&nbsp;&nbsp;
                       <input type="submit" value = "Search" id = "bsearchBtn" class = "button">
                </form>
                <br>

This is what I have added

Nicole
  • 37
  • 1
  • 6
  • 2
    Does this answer your question? [How can I prevent SQL injection in PHP?](https://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php) – El_Vanja Feb 05 '21 at 10:40
  • Thank you I'll try it out and see. :) – Nicole Feb 05 '21 at 10:45
  • @El_Vanja Hi there is an error I am facing. Why is it when I did as what the solution did, my drop-down list options are not appearing? Can you help me see where have I gone wrong? (in the image) – Nicole Feb 05 '21 at 11:09
  • Make sure you check for [mysqli errors](https://stackoverflow.com/questions/22662488/mysqli-fetch-assoc-expects-parameter-call-to-a-member-function-bind-param/22662582#22662582). You have misunderstood the concept. You're trying to bind a parameter to a statement that has no parameter placeholders. – El_Vanja Feb 05 '21 at 11:14
  • @El_Vanja Oh okay. Thank you very much. – Nicole Feb 05 '21 at 11:22

0 Answers0