This code is vulnerable to SQL injection. How can I improve it to prevent injections ? And How can I test this code with injections ? This is my code: if (isset ($_POST['name'])) { $name = $_POST['name']; }
if (isset ($_POST['name'])) {
$name = $_POST['name'];
}
if (isset ($_POST['remarcs'])) {
$remarcs = $_POST['remarcs'];
}
if (isset ($_POST['test_res'])) {
$test_res = $_POST['test_res'];
}
if (isset ($_POST['address'])) {
$address = $_POST['address'];
}
if (isset ($_POST['date'])) {
$date = $_POST['date'];
}
if (isset ($_POST['phone_num'])) {
$phone = $_POST['phone_num'];
}
if (isset ($_POST['illness'])) {
$illness = $_POST['illness'];
}
if (isset ($_POST['echo'])) {
$echo = $_POST['echo'];
}
if (isset ($_POST['pe'])) {
$pe = $_POST['pe'];
}
if (isset ($_POST['pmhx'])) {
$pmhx = $_POST['pmhx'];
}
if (isset ($_POST['pshx'])) {
$pshx = $_POST['pshx'];
}
if (isset ($_POST['habbits'])) {
$habbits = $_POST['habbits'];
}
if (isset ($_POST['occup'])) {
$occup = $_POST['occup'];
}
if (isset ($_POST['allergy'])) {
$allergy = $_POST['allergy'];
}
//Check file is uploaded or not
//if (isset($_FILES['file']['name']) && $_FILES['file']['name']!='' && $_FILES['file']['error']=='') {
//$path2 = ... ;
//move_uploaded_file(...);
if(is_uploaded_file($_FILES["file"]["tmp_name"]))
{
$path = "../uploads/".$_FILES['file']['name'];
move_uploaded_file($_FILES["file"]["tmp_name"], $path);
$new_path = "./uploads/".$path;
}
else{
$new_path = $_POST['org_path'];
//$path2 = "../uploads/".$_FILES['echo_photo']['name'];
}
//move_uploaded_file($_FILES["file"]["tmp_name"], $path);
//$new_path = $path;
$sql="UPDATE $tbl_name SET
name = '$name',
echo_files = '$new_path',
remarcs = '$remarcs',
test_res = '$test_res',
date = '$date',
address = '$address',
phone_num = '$phone',
illness = '$illness',
echo = '$echo',
pmhx = '$pmhx',
pshx = '$pshx',
habbits = '$habbits',
occup = '$occup',
allergy = '$allergy',
pe = '$pe'
WHERE id = ".$id;
$result=mysqli_query($con,$sql) or die('Unable to execute query. '. mysqli_error($con));
1) You can use Prepared Statements
A prepared statement or a parameterised statement is used to execute statement securely with high efficiency. Eg:PDO
2) For advanced hardening techniques you may refer OWASP SQL Injection Prevention
It's my suggestion. Use regex to check variable values.
For example
If a field expects integer, check it whether it's a integer(only integer).
If it is a string check it whether it's only alphanumeric.
If you upload files to your server don't give it execute permission.
Check the length of values.
Use addslashes to escape single quotes.
Use mysqli_real_escape_string.
Use mysqli prepared statements Use htmlentities
Overall allow the variable to contain only what you think it should contain.
etc..
After all these things only you should consider a variable in your sql query.