I keep getting told my code is vulnerable to SQL injection, however I have since converted to mysqli extensions from mysql, and I've tried SQL injection attacks on myself but none of them seem to work so my question is...
Is my code actually secure, and if not, why wont the SQL injection work?
<?php
session_start();
if (!isset($_SESSION["email"])){
header ("location: logout.php");
die();
}
include('connect-db.php');
if (mysqli_connect_errno())
{
echo "Failed to connect to mysqli: " . mysqli_connect_error();
}
else
{
}
function newUser()
{
$forename = $_POST['forename'];
$surname = $_POST['surname'];
$email = $_POST['email'];
$securityq = $_POST['securityq'];
$securitya = $_POST['securitya'];
$password = ($_POST['password']);
$query = "INSERT INTO admin (forename,surname,email,securityq, securitya,password) VALUES ('$forename','$surname','$email','$securityq','$securitya','$password')";
include('connect-db.php');
$data = mysqli_query ($db, $query)or die(mysqli_error($db));
if($data)
{
}
}
function SignUp()
{
if(!empty($_POST['email']))
{
include('connect-db.php');
$query = mysqli_query ($db, "SELECT * FROM admin WHERE email = '$_POST[email]'")
or die(mysqli_error());
if(!$row = mysqli_fetch_array($query) or die(mysqli_error()))
{
newuser();
echo ("<SCRIPT LANGUAGE='JavaScript'>
window.alert('Admin Registration Successful')
window.location.href='adminhome.php';
</SCRIPT>");
}
else
{
echo ("<SCRIPT LANGUAGE='JavaScript'>
window.alert('Sorry You are already a registered user!')
window.location.href='adminhome.php';
</SCRIPT>");
}
}
}
if(isset($_POST['submit']))
{
SignUp();
}
?>
The error I get upon attempted SQL injection are all similar to this one:
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'DROP table pdf',','lll','pppppp')' at line 1
I have also tried lots of different types of SQL injection and none of them work
There are multiple ways to break your code; it is not secure. It doesn't have to be possible to execute a DROP statement for your code to be unsafe.
For example, the function SignUp is insecure. If the value of $_POST[email] is ' OR 1=1 --, then the authentication query becomes:
SELECT * FROM admin WHERE email = '' OR 1=1 --
(The -- is a common indicator of an attack; its purpose is to turn whatever follows into a comment.) This query will always return a result, because 1=1 is always true. So, your user will always be authenticated as an admin. This means newUser gets called, the attackers data gets inserted into the admin table, and you just lost control of your site.
MORAL: Always use prepared statements. Never directly insert a value that came from a user, could have come from a user, came from a database, came from an API, etc., directly into your SQL statements. Do not trust anybody (including yourself) when it comes to SQL injection, and use a prepared statement for every parameter or variable, every time.
You should read OWASP's guide to SQL injection issues, their SQL Injection Prevention Cheat Sheet, and their PHP Security Cheat Sheet.
If I remember this right, mysqli_query can only execute one query at a time. This means, that you cannot expand the query via injection into more queries like
$query = "INSERT INTO admin (forename,surname,email,securityq, securitya,password)
VALUES ('$forename','$surname','$email','$securityq','$securitya','$password')";
using
$password = "'); DROP TABLE admins; --";
But maybe you can change it to overwrite some other data. E.g. using
$password = "newPasswort') ON DUPLICATE KEY UPDATE password = VALUES(password); --";
I've not tested this. It's just to get the Idea. DROP is not the only evil injection.
The best way yo prevent SQL injections is to use prepared statements. Escaping strings is better than do nothing, but maybe there are some examples where even the escaped string leads to an injection. Prepared statements are handed to the database separately, so that it knows the query already and inputs cannot change the query any more.
Also notice that storing the plain password is never a good idea. Please hash passwords using password_hash or something similar.