Reputation: 513
Is this Code Exploitable? (PHP)
I paid someone to code basic PHP scripts for me, so bare in mind for my dumb questions. I just want to keep my users safe.
Is this code exploitable, and if so, how can I fix it?
if(isset($_POST['serial'])){
$serial = $_POST['serial'];
$count=$db->prepare("SELECT * FROM users WHERE serial=:serial LIMIT 1");
$count->bindParam(":serial",$serial);
$count->execute();
$no=$count->rowCount();
if($no >0 ) {
echo "User Found";
} else {
echo "User Not Found";
}
}
I am guessing I need to sanitize 'serial' to ensure there are no injection attempts. Is there any code to do this for me? Will something like this work?
$name = strip_tags(trim( $_POST[ ‘name’ ] ) );
Upvotes: 0
Views: 63
Answers (1)
Reputation: 2267
If you mean more specifically the SQL Injection, then this statement is good enough to prevent it, since it uses prepared statement, i.e. it passes parameter :serial and later on it will fill it by calling $count->bindParam(":serial",$serial);.
The risk of SQL Injection is when you make your statement by concatenating SQL queries with user input directly, without sanitization, example:
DO NOT USE SUCH KIND OF CODING
$count=$db->prepare("SELECT * FROM users WHERE " . $_POST['serial'] . " LIMIT 1");
Upvotes: 1
Related Questions
- Is this code anti mysql injection?
- Is this code protected against SQL injection?
- is my code vulnerable to SQL injection
- How dangerous is this PHP code?
- Can this php code be sql injected?
- SQL injection attempt - is my code vulnerable?
- Sql Injection: is this code safe?
- Is this part of the script is safe from sql injection?
- Is this PHP/MySQL statement vulnerable to SQL injection?