I have the following PHP code on an intranet site, and I've recently learned about a Firefox addon 'SQL Inject Me'. Out of curiousity I've tried to run it on this really simple site (basically a phonebook with an admin account).
The test returned 51 #302 errors, but when I tried them I could not do any harm nor access (to) the database.
Is there any more to do than this to prevent the injection? When I've searched, they all advised PDO prepared statements, but this was done using that.
PHP
include_once("inetcon.php");
session_start();
$uid = $_POST['uid'];
$pass = $_POST['pass'];
// This is what I've added after seeing the errors
$uid = mysql_real_escape_string($uid);
$pass = mysql_real_escape_string($pass);
$uid = str_replace("'","fag",$uid);
// end of block
$extract = $handler->prepare('SELECT * FROM net_users WHERE users_fname = ? and users_role = ? and users_active = "2"');
$extract->execute(array($uid, md5($pass)));
The addon returns all the basic ones like:
Server Status Code: 302 Found
Tested value: 1' OR '1'='1
Thanks for the help.
This:
$uid = $_POST['uid'];
$pass = $_POST['pass'];
Should be:
$uid = mysqli_real_escape_string($db_connect, $_POST['uid']);
$pass = mysqli_real_escape_string($db_connect, $_POST['pass']);
This way the variables become the escaped string else you just don't do anything to them.
And why do you use mysql_* with mysqli_* or pdo?
Using prepared statements is good tough.
UPDATE
You could also add trim() to remove useless spaces and strip_tags() to remove all html tags:
$uid = mysqli_real_escape_string($db_connect, trim(strip_tags($_POST['uid'])));
$pass = mysqli_real_escape_string($db_connect, trim(strip_tags($_POST['pass'])));
so an input like: <b onClick="some javascript injection">Test</b> is this <u>striped</u>? will become: Test is this striped?