Welcome Guest, Not a member yet? Register   Sign In
SQL Injection
#1

Afternoon

I was struggling to get some data to insert in to MySQL but i have finally got that working - However, someone said I am wide open to an SQL injection attack and theyve not said anything else about it. This of course got me worried

In my views I have a postcode.php and a submit.php (the submit is where the SQL query is saved).

PHP Code:
// SAVE POSTCODE & DELIVERY COST
if(isset($_POST['submitPostCode'])){
    // Get editor content
    $postCodeString $_POST['postCodetext'];
    $costString $_POST['costtext'];

    // Check whether the editor content is empty
    if(!empty($postCodeString)){
        // Insert editor content in the database
        $insert1 $db->query("INSERT INTO postCode (postCode, Cost) VALUES ('".$postCodeString."', '".$costString."')");

        // If database insertion is successful
        if($insert1){
            $statusMsg1 "Succeddfully Saved.";
        }else{
            $statusMsg1 "A problem occurred, please try again.";
        }
    }else{
        $statusMsg1 'You cannot save a blank postcode or delivery charge';
    }


I kind of understand SQL injection. My knowledge is that a malicious using may be able to essentially change the query to suite their need such as drop a table etc.

But how is mine not secure, and why is it wide open to an attack? Also, what can I immediately do to secure it
Reply
#2

On what it is:
https://www.php.net/manual/en/security.d...ection.php

And how you can bind/escape in Codeigniter:
https://codeigniter.com/user_guide/datab...eries.html
Reply
#3

Use the query builder, is super friendly. Check the link posted above

Also, enable global_xss_filtering on your config.php file. Note that this function is deprecated though so try not to depend on it.
PHP Code:
$config['global_xss_filtering'] = TRUE



In addition, check out the Security class https://codeigniter.com/user_guide/libra...urity.html.
Reply
#4

Don't enable global_xss_filtering, it's deprecated for a reason. You should filter/validate on input and escape on output.
Reply




Theme © iAndrew 2016 - Forum software by © MyBB