Avoiding attack SQL injection ?

Question

0.00/5 (No votes)

See more:

Hello. I would like to learn protection against sql injection. As you know, the best protection you can get through the nuke is how sql injection works. I have code written in PHP I used PDO for greater security. I have read many articles related to sql injection attacks but few articles are on PDO, so it can be understood that PDO is more secure. I have a code that at times prevented my attacks. So in a nutshell, in the future I would like to become a security expert. Anyway. Maybe you know what attack methods are on PDO? Below I will give you a code that as I said before is relatively resistant to attacks. Thanks in advance for your help.

index.php

HTML

<!DOCTYPE html>
<html>
<body>
    <form action="login.php" method="post">
            <input type="text" name="name" placeholder="Your name">
            <input type="text" name="email" placeholder="Your email">
        <input type="submit" name="sent" id="ref" value="Send">
    </form><
</div>
</body>
</html>

login.php

PHP

<?php
session_start();

    $dbname = 'test'; 
    $dbhost = 'localhost';
    $dbuser = 'root';
    $dbpass = '';

    try 
    {
        if((!isset($_POST['name'])) || (!isset($_POST['email'])))
        {
            header("Location: index.php");
            exit();
        }
            $PDO = new PDO('mysql:host='.$dbhost.';dbname='.$dbname,$dbuser,$dbpass);
            $userow = $PDO->prepare('SELECT * FROM `users` WHERE `user`="'.$_POST['name'].'" ');
            $userow->execute();

            $count = $userow->rowCount();
            if($count>0)
            {
                $row = $userow->fetch(PDO::FETCH_ASSOC);
                if($_POST['email'] === $row['pass'])
                {
                    $_SESSION['logged'] = true;
                    $_SESSION['nick'] = $row['user'];
                    $_SESSION['pass'] = $row['pass'];
                    header("Location: logged.php");
                }
                else
                {
                    echo "Wrong login or password!";
                }
        }
        else
        {
                echo "Wrong login or password!";
        }
    }
    catch(PDOException $error)
    {
        die('Error!:'.$error->getMessage());
    }
?>

logged.php

PHP

<?php
	session_start();

	if (!isset($_SESSION['logged']))
	{
        header("Location: index.php");
		exit();
	} 
?>
<!DOCTYPE html>
<html>
<body>
    <a href="logout.php">Logout!</a>
	<?php

    $dbname = 'test'; 
    $dbhost = 'localhost'; 
    $dbuser = 'root'; 
    $dbpass = '';

    try 
    {     
            $PDO = new PDO('mysql:host='.$dbhost.';dbname='.$dbname,$dbuser,$dbpass);
            $userow = $PDO->prepare('SELECT * FROM `users` WHERE user`="'.$_SESSION['nick'].'" ');
            $userow->execute();

            $row = $userow->fetch(PDO::FETCH_ASSOC);

			echo $row['user'];
    
    }
    catch(PDOException $error)
    {
        die('Error!'.$error->getMessage());
    }
?>
</body>
</html>

What I have tried:

Basic sql injection
-Add an apostrophe to the textbox login
-Add an apostrophe to the textbox password OR 1=2
etc.

Posted 21-Jun-17 12:17pm

Mike CJ

Updated 22-Jun-17 10:02am

Add a Solution

2 solutions

Add a Solution

Add your solution here

Treat my content as plain text, not as HTML

Preview 0

…

Existing Members

Sign in to your account

...or Join us

Download, Vote, Comment, Publish.

Your Email
Password
Forgot your password?

Your Email
This email is in use. Do you need your password?
Optional Password

I have read and agree to the Terms of Service and Privacy Policy
Please subscribe me to the CodeProject newsletters

When answering a question please:

Read the question carefully.
Understand that English isn't everyone's first language so be lenient of bad spelling and grammar.
If a question is poorly phrased then either ask for clarification, ignore it, or edit the question and fix the problem. Insults are not welcome.
Don't tell someone to read the manual. Chances are they have and don't get it. Provide an answer or move on to the next question.

Let's work to help developers, not make them feel stupid.

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

Richard Deeming · Answer 1 · 2017-06-22T10:02:00

The PHP manual has some useful information:
PHP: SQL Injection - Manual[^]
PHP: Prepared statements and stored procedures - Manual[^]

Some general background on SQLi:
Everything you wanted to know about SQL injection (but were afraid to ask) | Troy Hunt[^]
How can I explain SQL injection without technical jargon? | Information Security Stack Exchange[^]
Query Parameterization Cheat Sheet | OWASP[^]

You might also want to look at this Interactive SQLi demo[^].

Patrice T · Answer 2 · 2017-06-21T12:20:00

Solution 1

You should learn 'Google'

SQL injection - Wikipedia[^]
SQL Injection[^]

Posted 21-Jun-17 12:20pm

Patrice T

Comments

Mike CJ 21-Jun-17 18:56pm

I was more specific about PDO

barneyman 21-Jun-17 19:05pm

DO NOT concat strings, use arguments ... a quick google turned up this http://php.net/manual/en/pdo.prepare.php

Mike CJ 22-Jun-17 7:12am

But there is no general. How to work around the blockade and defend against such attacks.

barneyman 22-Jun-17 20:09pm

i quoted the EXACT general case

DO NOT concat strings, use arguments