Welcome to the Treehouse Community

Want to collaborate on code errors? Have bugs you need feedback on? Looking for an extra set of eyes on your latest project? Get support with fellow developers, designers, and programmers of all backgrounds and skill levels here with the Treehouse Community! While you're at it, check out some resources Treehouse students have shared here.

Looking to learn something new?

Treehouse offers a seven day free trial for new students. Get access to thousands of hours of content and join thousands of Treehouse students and alumni in the community today.

Start your free trial

PHP

Posted by Brian Bush
Brian Bush
4,398 Points

question on sql injection

with my code below, it is in danger of an sql injection? I have been trying many attempts to inject sql but get no luck in succeeding but I could be doing it wrong? any help or thoughts on preventing sql injection would be appreciated!

$username = $_POST['username'];
    $password = $_POST['password'];
    $sql = "SELECT * FROM users WHERE user_name = '$username' AND password = '$password'";
    $result = $db->query($sql);

3 Answers

Ben Rubin
PLUS
Ben Rubin
Courses Plus Student 14,658 Points
Ben Rubin
Ben Rubin
Courses Plus Student 14,658 Points

Yes it is vulnerable. Any time you take a value from somewhere that the user can enter data and plug that value directly into a query, you can get SQL injected. Imagine if the user entered their password as ' OR 1=1 --. Then you'd get

SELECT * FROM users WHERE user_name = <some value> AND password = '' OR 1=1 --'

You never want to take a value that the user could enter and plug that directly into a query. Also remember that a user can modify the HTML of your page so you don't want to take any value from the page and plug that directly into a query either. Take a look at this link for a better explanation and for how to prevent this http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php

Ryan Stratton
Ryan Stratton
19,181 Points
Ryan Stratton
Ryan Stratton
19,181 Points

Yes, it's in danger of sql injection. Here's an example of how a sql injection attack could be used to manipulate your code:

$username = $_POST['username']; // = user
$password = $_POST['password']; // = anything' OR password LIKE '%
$sql = "SELECT * FROM users WHERE user_name = '$username' AND password = '$password'";

// Resulting Statement
// SELECT * FROM users WHERE user_name = 'user' AND password = 'anything' OR password LIKE '%'

By not escaping, validating, or using prepared statements, an attacker could pass additional sql into the form input. In my example, I was able to pass additional sql through the password input field. This SQL adds an OR statement to the query that will match any password in the database equal to any number of character, even zero. This code would return multiple users because it matches every password. Your application will most likely be expecting a single row to be returned from the database so it shouldn't work on a production site. That said, there are far more aggressive code examples that could be passed into username field. Code that could result it some very very bad outcomes.

I would strongly recommend looking at implementing PDO and prepared statements. You can read more about Prepared Statements on the PHP website here: http://www.php.net/pdo.prepared-statements.

Bottom line, never trust user provided data! Escape, Validate & Prepare Statements!

Ryan

Brian Bush
Brian Bush
4,398 Points
Brian Bush
Brian Bush
4,398 Points

so I should prepare the query and then bind the params, then execute?

Ryan Stratton
Ryan Stratton
19,181 Points

Yes, that's correct. Just keep in mind that if you're building up your query from other parts of you application before binding parameters you could still be vulnerable to SQL injection.