SQL injection in PHP Phalcon

Question

I just learning SQL injection and try to inject my PHP based code (with PHP Phalcon framework). I try to do SQL injection in my login. However, when I try to do the injection, I cannot do it and I do not know whether it is caused by my code is already robust from SQL injection or that I do the injection in wrong way.

My login section contains of email and password. For the email section, I insert test@test.com' or 1=1 and insert some random password.

However, there is an error message showing something like this:

Scanning error before ' LIMIT :APL0:' when parsing: SELECT [Test\\Models\\Login].* FROM [TEST\\Models\\Login] WHERE email='test@test.com' or 1=1 --' LIMIT :APL0: (119)

Here is the verify login code:

public function verifyLogin ($email, $password) {
    $records = $this->findFirst("email='$email'");
    if ($records && sha1($password)==$records->password) {
        return ($records->id);
    }
    return (false);
}

How to know whether it is my injection that is wrong or the code is already robust? And if the injection is still wrong, how to fix it?

Answer 1

The way you wrote your code irrespective of whether it is Phalcon or not is prone to SQL injection. I am not sure if you actually want to perform SQL injection in the script above or you are trying to figure out ways to protect against it.

If it is the latter, you can always bind your parameters:

public function verifyLogin ($email, $password) {
    $record = $this->findFirst(
        'conditions' => 'email = :email:',
        'bind'       => [
            'email' => $email,
         ],
    );

    if ($record && sha1($password) == $records->password) {
        return ($records->id);
    }

    return false;
}

The above code uses bound parameters, a feature of PDO that offers better security against SQL injections.