0

I'm trying to learn about SQL Injection and how to avoid it. This is my current register php that I added escape strings. Can someone tell me if there's any other steps I should take to avoid SQL injection? Thanks.

<?php

session_start();

// Set session variables to be used on profile.php page
$_SESSION['email'] = $_POST['email'];
$_SESSION['first_name'] = $_POST['firstname'];
$_SESSION['last_name'] = $_POST['lastname'];

$first_name = $mysqli->escape_string($_POST['firstname']);
$last_name = $mysqli->escape_string($_POST['lastname']);
$email = $mysqli->escape_string($_POST['email']);
$password = $mysqli->escape_string(password_hash($_POST['password'], PASSWORD_BCRYPT));
$hash = $mysqli->escape_string( md5( rand(0,1000) ) );
$igname = $mysqli->escape_string($_POST['igname']);
$profileurl = $mysqli->escape_string($_POST['profileurl']);
$rules = $mysqli->escape_string($_POST['rules']);
$username2 = $mysqli->escape_string($_POST['username']);


// Check if user with that email already exists
$result = $mysqli->query("SELECT * FROM users WHERE email='$email'") or die($mysqli->error());
$result2 = $mysqli->query("SELECT * FROM users WHERE username='$username2'") or die($mysqli->error());

if ( $result->num_rows > 0 ) {

$_SESSION['message'] = 'User with this email already exists!';
header("location: error.php");
exit();
}

else if ( $result2->num_rows > 0 ) {

$_SESSION['message'] = 'User with this username already exists!';
header("location: error.php");
exit();
}


else { 

$to = 'kielly@email.ca';
$subject = 'NEWUSER'; 
$message = "Someone has registered"; 
$headers = "From: general@email.ca\r\nReply-To: webmaster@email.com";
$mail_sent = @mail( $to, $subject, $message, $headers );

echo $mail_sent ? "Mail sent" : "Mail failed";

$sql = "INSERT INTO users (first_name, last_name, email, password, hash, igname, profileurl, readrules, admin, username) " 
        . "VALUES ('$first_name','$last_name','$email','$password', '$hash', '$igname', '$profileurl', '$rules', 0, '$username2')";

// Add user to the database
if ( $mysqli->query($sql) ){

    $_SESSION['active'] = 0; //0 until user activates their account with verify.php
    $_SESSION['logged_in'] = true; // So we know the user has logged in
    $_SESSION['admin'] = 0;
    $_SESSION['message'] =

             "Thank you for applying. Please wait while admins check over your application. You should recieve an email shortly. (Check junk folders and allow up to 5 hours for a review)";
    header("location: usertest.php");


}

else {
    $_SESSION['message'] = 'Registration failed!';
    header("location: error.php");
}
}

Should I also add prepared statements such as

$stmt = $mysqli->prepare("INSERT INTO users (first_name, last_name, email, password, hash, igname, profileurl, readrules, admin, username) VALUES (?,?,?,?,?,?,?,?,?,?)");

or is what I have above safe?

Kielly32
  • 19
  • 3
  • 1
    No, it is not safe. Use prepared statements and then you will be safe-guarded against SQL Injection. – Jay Blanchard Jan 26 '18 at 02:58
  • As I always say - [Little Bobby](http://bobby-tables.com/) says ***[your script is at risk for SQL Injection Attacks.](http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php)*** Learn about [prepared](http://en.wikipedia.org/wiki/Prepared_statement) statements for [MySQLi](http://php.net/manual/en/mysqli.quickstart.prepared-statements.php). Even [escaping the string](http://stackoverflow.com/questions/5741187/sql-injection-that-gets-around-mysql-real-escape-string) is not safe! – Jay Blanchard Jan 26 '18 at 03:00
  • Thanks, I'll have a look into those links and I'll use prepared statements. – Kielly32 Jan 26 '18 at 03:03
  • I added a few more links to what @Jay used to close the question with. – Funk Forty Niner Jan 26 '18 at 03:14

0 Answers0