I have just finished writing my own php registration script from scratch and since I am new to this I wanted to ask if the method I’m using is safe from sql injections?
This is an example how I exchange data with my sql database:
public function StoreUser($name, $email, $password, $devid) {
$mysqli = new mysqli("host", "user", "pass", "data");
if ($mysqli->connect_errno) {
echo "Failed to connect to MySQL: (" . $mysqli->connect_errno . ") " . $mysqli->connect_error;
}
$unique_id = uniqid('', true);
$hash = $this->hashSSHA($password);
$add_user = $mysqli->prepare("INSERT INTO `users` SET `unique_id`=?, `name`=?, `email`=?, `encrypted_password`=?, `salt`=?, `devid`=?, `created_at`=?");
$add_user->bind_param("sssssss",$unique_id,$name,$email,$hash["encrypted"],$hash["salt"],$devid,date("H:i:s"));
if ($add_user->execute()) {
$add_user->close();
$mysqli->close();
return true;
}
else {
$add_user->close();
$mysqli->close();
return false;
}
}
Using proper SQL placeholders is an important first step towards making your application secure. In this case you shouldn’t have to worry about any SQL injection bugs, the escaping should be done for you if you’re disciplined about using placeholders for any and all user-supplied data, but there could be other issues.
Remember that just as you escape things for a SQL statement, you should likewise be diligent about escaping user-supplied data before displaying it as HTML or you could end up with all kinds of issues, the worst of which is XSS.
In any case, PDO makes it a lot easier to do the escaping.
mysqliis usually used only if PDO is not available.There is no singular magic bullet, but there are a number of things you can do to prevent your application from being abused, or just suffering embarrassing bugs. This can be difficult to do if you’re writing your own low-level database interfacing code instead of using a framework, though. You’ll spend a lot of time re-inventing the wheel.