What’s the difference between these three queries, in terms of security but also good coding syntax?
Query 1
$sql = "SELECT user_id,
user_email,
user_pass
FROM user_tb
WHERE user_email =\"".$e."\"
AND user_pass = md5(\"".$p."\") ";
Query 2
$sql = "SELECT user_id,
user_email,
user_pass
FROM user_tb
WHERE user_email = '$e'
AND user_pass = '$p' ";
Query 3
$sql = "SELECT user_id,
user_email,
user_pass
FROM user_tb
WHERE user_email = $e
AND user_pass = $p ";
The first one performs string concatenation for the variables ($e and $p), additionallying using the MD5 function to get the hash of the password for comparison against the
USER_TB.user_passcolumn value. The MD5 isn’t any good if the values aren’t stored as the hash – because there wouldn’t be anything to match against. Same for vice versa…The second example lacks the MD5 function use, but properly encloses the variables in single quotes to be treated as string literals for comparison against column values.
The third query lacks the single quoting for proper SQL string handling, and the MD5 function use.
Summary
All three are susceptible to SQL injection attacks. If not using PDO, sprintf is a solution to using a prepared statement: