Reputation: 529
Is this storing method sql injection "safe"?
I have just finished writing my own php registration script from scratch and since I am new to this I wanted to ask if the method I'm using is safe from sql injections?
This is an example how I exchange data with my sql database:
public function StoreUser($name, $email, $password, $devid) {
$mysqli = new mysqli("host", "user", "pass", "data");
if ($mysqli->connect_errno) {
echo "Failed to connect to MySQL: (" . $mysqli->connect_errno . ") " . $mysqli->connect_error;
}
$unique_id = uniqid('', true);
$hash = $this->hashSSHA($password);
$add_user = $mysqli->prepare("INSERT INTO `users` SET `unique_id`=?, `name`=?, `email`=?, `encrypted_password`=?, `salt`=?, `devid`=?, `created_at`=?");
$add_user->bind_param("sssssss",$unique_id,$name,$email,$hash["encrypted"],$hash["salt"],$devid,date("H:i:s"));
if ($add_user->execute()) {
$add_user->close();
$mysqli->close();
return true;
}
else {
$add_user->close();
$mysqli->close();
return false;
}
}
Upvotes: 2
Views: 87
Answers (2)
Reputation: 211560
Using proper SQL placeholders is an important first step towards making your application secure. In this case you shouldn't have to worry about any SQL injection bugs, the escaping should be done for you if you're disciplined about using placeholders for any and all user-supplied data, but there could be other issues.
Remember that just as you escape things for a SQL statement, you should likewise be diligent about escaping user-supplied data before displaying it as HTML or you could end up with all kinds of issues, the worst of which is XSS.
In any case, PDO makes it a lot easier to do the escaping. mysqli is usually used only if PDO is not available.
There is no singular magic bullet, but there are a number of things you can do to prevent your application from being abused, or just suffering embarrassing bugs. This can be difficult to do if you're writing your own low-level database interfacing code instead of using a framework, though. You'll spend a lot of time re-inventing the wheel.
Upvotes: 2
Reputation: 163334
Yes, it is safe.
You are using parameterized queries which fundamentally separate the data from the command, making you safe from first-order SQL injection attacks.
Upvotes: 5
Related Questions
- Is this mysqli wrapper secure against SQL injection?
- Is this MySQL statement injection secure?
- Is this mysqli code using prepared statements safe against SQL injection?
- Sql Injection: is this code safe?
- I am worried about SQL Injections. Is this safe?
- Is this safe enough for SQL injection
- Is this a safe way to secure against sql injection?
- is this safe in terms of SQL injection?
- SQL-injection - is this (oneliner) safe?
- Is this smart or no?