i have searched and added some prevention code but i need expert advice am i correct ?
I have made seperate file for SQL connect but i have confusion whether i should use include, require, include_onces or any other ?
mysql_connect("localhost", "userr", "pass") or die(mysql_error()) ;
mysql_select_db("databse") or die(mysql_error()) ;
Here i have added two things UTF8 and mysql_real_escape_string.
$bad='anyone123';
$var = mysql_real_escape_string($bad);
$q = mysql_query('SET user_id UTF8');
$q = mysql_query("SELECT * FROM fbusers WHERE user_id = '$var'");
$r = mysql_fetch_array($q);
Please give me advice if how can i prevent injec. to 100%
i don't want my website to be hacked :(
Thank you
You need to use prepared statements for any queries that require user input. This sends the query and the parameters seperately and acts as a layer of security to catch any malicious input.
In PDO:
$stmt = $pdo->prepare("SELECT * FROM fbusers WHERE user_id = :var");
$stmt->execute(array(':var'=>$var));
In mysqli:
$stmt = $dbConnection->prepare('SELECT * FROM fbusers WHERE user_id = ?');
$stmt->bind_param('s', $var);
$stmt->execute();
Maybe this post would help.
Related
I'm creating a login system of sorts that uses parameters from the URL.
The parameters are set no problem. I dont know what the issue is.
Here's my code:
<?php
require_once("db_const.php");
$mysqli = new mysqli("dont", "try", "to login to", "my database");
# check connection
if ($mysqli->connect_errno) {
echo "<p>MySQL error no {$mysqli->connect_errno} : {$mysqli->connect_error}</p>";
exit();
}
$username = filter_input(INPUT_GET,"username",FILTER_SANITIZE_STRING);
$password = filter_input(INPUT_GET,"password",FILTER_SANITIZE_STRING);
$sql = "SELECT * from users WHERE username LIKE '{$username}' AND password LIKE '{$password}' LIMIT 1";
$result = $mysqli->query($sql);
if (!$result->num_rows == 1) {
echo "failed";
} else {
echo "success";
}
?>
There are a few problems with your code.
The problem is the use of the LIKE function. Your usage is
SELECT * from users WHERE username LIKE '{$username}' AND password LIKE '{$password}' LIMIT 1
Like requires additional specification to find match positions and such, for example :
SELECT ... WHERE username LIKE '%{$username}%'
In the form you used, the WHERE clause if equivalent to
SELECT ... WHERE username = '{$username}'
In addition, LIKE is not recommended even (especially) with the wildcards, as 'tom' will match users 'tom' and 'tommy', and the count will certainly not be == 1.
I'll also urge you to test the query for errors
if (!$result) {
echo 'An error occurred : $mysqli->error;
}
Others have already mentioned the risk in passwing username and passwords on the URL, Please take note of their comments.
In addition, storing the password in plain form the database is not recommended for security reasons. There are plenty of resources explaining how to encrypt passwords and authenticate using the encrypted values.
Try:
$sql = "SELECT * from users WHERE username='$username' AND password='$password'";
CAUTION
Even if the above code solves your problem, It's still very dangerous as it's vulnerable for SQL injection on both username and password parameters and it can be exploited in a manner that a malicious user can bypass the login check by breaking out of the quotes and adding a condition that evaluates to true.
You can use a mysqli::prepare to get over that.
$stmt = mysqli->prepare("SELECT * from users WHERE username=? AND password=?");
$stmt->bind_param("ss", $username,$password);
$stmt->execute();
i keep having this error "mysql_fetch_array() expects parameter 1 to be resource, null given in" when i try to display the returned value of count in sql. heres my code.
$query="SELECT med_rec_ID, COUNT(med_rec_ID)
FROM med_issue
WHERE MONTH(issue_date) = MONTH('2013-02-05')
GROUP BY med_rec_ID";
$result= mysql_query($query);
while($count = mysql_fetch_array($display3)){
echo $count[0];
}
i have tried to run the query in sql alone it displays 2 columns (the med_rec_ID, and the COUNT). guys how do i display the count and fix the error too?
First of all, don't use mysql_* functions since they're deprecated. Use mysqli or PDO.
Secondly, look at what you're passing into the fetch_array function.
You probably want to do something like:
$link = mysqli_connect("localhost", "admin", "pass", "db_name");
$result = mysqli_query($link, $sql);
while($row = $result->fetch_array(MYSQLI_ASSOC)){
$medIds[] = $row['med_rec_ID'];
...
}
Then fix the count by giving it an alias.
Please note that you should actually store how you access the DB in a more secure manner, but I use this only to illustrate the example. Here's a pretty good post: How to create global configuration file?
Is your query even executing? that error will happen if mysql_query doesnt return the resource, in case query fails
$query="SELECT med_rec_ID, COUNT(med_rec_ID) as C FROM med_issue where MONTH(issue_date) = MONTH('2013-02-05') GROUP BY med_rec_ID";
$result= mysql_query($query) or die(mysql_error());
while($row = mysql_fetch_assoc($result))
{
echo $row["C"];
}
Note: Please do not use mysql_* functions anymore
Give it an alias:
SELECT
med_rec_ID,
COUNT(med_rec_ID) TheCount
FROM med_issue
where MONTH(issue_date) = MONTH('2013-02-05') GROUP BY med_rec_ID
then you can select that column TheCount inside the while loop with $row['TheCount'], also use lope through the $result:
$result = mysql_query($query);
while($row = mysql_fetch_array($result)){
echo $row['TheCount'];
}
mysql_real_escape_string is preventing the unsanitized fields with bad characters from being added to the database. I don't want to have to specify all the fields on each form (since that's both cumbersome to do for each field and doesn't accommodate special characters which people may include or typos), but at the moment this code prevents anything from being inserted if any threatening characters are present in the unsanitized fields but still advances to the next page.
I'm also using jQuery validate on this page, but haven't been able to use that to prevent SQL injection.
function clean($str) {
$str = #trim($str);
if(get_magic_quotes_gpc()) {
$str = stripslashes($str);
}
return mysql_real_escape_string($str);
}
//Sanitize the POST values
$user_name = clean($_POST['user_name']);
$password = clean($_POST['password']);
//Create INSERT query
$qry = "INSERT INTO customer_info(fname, lname, gender, zip, email, phone, terms, security_question, security_answer, participating_retailers, notify_new_items, notify_promotions, priority1, priority2, priority3, priority4, priority5, privacy, user_name, password)
VALUES('$_POST[fname]','$_POST[lname]','$_POST[gender]','$_POST[zip]','$_POST[email]','$_POST[phone]','$_POST[terms]','$_POST[security_question]','$_POST[security_answer]','$_POST[participating_retailers]','$_POST[notify_new_items]','$_POST[notify_promotions]','$_POST[priority1]','$_POST[priority2]','$_POST[priority3]','$_POST[priority4]','$_POST[priority5]','$_POST[privacy]','$user_name','$password')";
$result = #mysql_query($qry);
$qry="SELECT * FROM customer_info WHERE user_name='$user_name' AND password='$password'";
$result=mysql_query($qry);
session_regenerate_id();
$member = mysql_fetch_assoc($result);
$_SESSION['SESS_USER_ID'] = $member['user_id'];
$_SESSION['SESS_FIRST_NAME'] = $member['fname'];
$_SESSION['SESS_LAST_NAME'] = $member['lname'];
session_write_close();
header("location: flatter-form.html");
exit();
mysql_query has been deprecated. PDO or mysqli both provide security against SQL injections. In addition to both having escaping functionality, PDO has the ability to also quote the string. Using prepared and parameterized queries makes it almost impossible for an attacker to inject SQL.
$stmt = $pdo->prepare('SELECT * FROM employees WHERE name = :name');
$stmt->execute(array(':name' => $name));
foreach ($stmt as $row) {
// do something with $row
}
Sample from: Prepared statements
Take a look at PDO vs. MySQLi.
I have a custom table called wp_purchases that is added to by a Paypal IPN, it has the columns post_id, purchase_id, username, email and changes:
$user = $_POST['username'];
$post_id = $post->ID;
global $wpdb;
$wpdb->purchases = $table_prefix . 'purchases';
$result = $wpdb->query("SELECT * FROM $wpdb->purchases WHERE username = $user AND post_id = $post_id");
if ($result) {...
I'm just trying to check if there is a purchase under a certain username in a single .php theme page and then perform an operation unrelated to the $result.
It won't work though, any way I try it comes up with null. Is it something to do with using $wpdb->purchases or not including a certain file or something else? I've also tried it with get_results and get_row with no luck.
Try this :
$result = $wpdb->query("SELECT * FROM `".$wpdb->purchases."` WHERE username = '$user' AND post_id = '$post_id';");
I gave up and just used
$result = $wpdb->query("SELECT * FROM wp_purchases WHERE username = $user AND post_id = $post_id");
because it's for a single site and doesn't really need the table prefix, it'll always be wp_
I know it's too late for this answer, but I'll still post it for the sake of others who are also having similar issue.
You mentioned that the query still returns nothing even after removing the WHERE part, have you tried to echo $wpdb->purchases variable? It might just returning you a string "purchases" instead of "wp_purchases" (assuming that your table prefix is "wp_"). Try using $wpdb->prefix instead of $table_prefix, or $wpdb->base_prefix if you got a multisite.
$wpdb->purchases = $wpdb->prefix . 'purchases';
What type of username? I assume it stores string data. So variable $user must be quoted:
"SELECT * FROM $wpdb->purchases WHERE username = \"$user\" AND post_id = $post_id"
I have a join using mysql in php and want to turn that into a pdo query how do i do that?
Also how do I get the results of this query and display it.
Code is below:
$query = "SELECT * FROM pages LEFT JOIN templates ON pages.template_id = templates.template_id WHERE pages.page_Title = '".$getVars['page']."'";
I am new to PDO so this might sound like a very basic question.
Thanks in Advance
Why don't people even look at the PHP reference for these basic questions? See http://be2.php.net/manual/en/pdo.connections.php. It's all there, you don't have to change anything to the query in order to run it with PDO.
You could however try using a prepared statement, and pass the title as a parameter :
$dbh = new PDO('mysql:host=localhost;dbname=database', $user, $pass);
$stmt = $dbh->prepare("SELECT * FROM pages LEFT JOIN templates ON pages.template_id = templates.template_id WHERE pages.page_Title = ?");
if ($stmt->execute(array($getVars['page']))) {
while ($row = $stmt->fetch()) {
print_r($row);
}
}