1

I have this piece of PHP, I just wanna make sure it's safe from SQL injection and security vulnerabilities:

<?php
require_once "./source/includes/data.php";
header('Content-type: application/json');
$request = mysql_real_escape_string($_REQUEST['email_address']);
$query = mysql_query("SELECT * FROM mmh_user_info WHERE email_address ='$request'");
$result = mysql_num_rows($query);
if ($result == 0){
$valid = 'true';}
else{
$valid = 'false';
}
echo $valid;
?>

I'm still a php newbie, any enhancements or edits would be greatly appreciated!

samayo
16.5k13 gold badges95 silver badges114 bronze badges
asked May 16, 2013 at 22:33
4
  • 3
    Pretty safe from injection, but if you're writing new code, why not go with either PDO's or mysqli's prepared statments? Safe as can be.. Commented May 16, 2013 at 22:35
  • $email_address in your WHERE clause likely should be $request. Besides that, safe. Commented May 16, 2013 at 22:41
  • Can you suggest an edit on this code? Or suggest a tutorial that explains how to do that in mysqli prepared statments? Thanks for your advice! Commented May 16, 2013 at 22:44
  • We would need to see how you output the data and how you inserted it, since this could still be vulnerable to XSS in certain cases. Commented May 16, 2013 at 23:30

2 Answers 2

4

I suggest you make use of PDO which is becoming a standard in PHP5:

$sth = $dbh->prepare("SELECT * FROM mmh_user_info WHERE email_address = ?");
$sth->execute(array($_REQUEST['email_address']));
$red = $sth->fetchAll();
Francisco Presencia
8,8657 gold badges50 silver badges96 bronze badges
answered May 16, 2013 at 23:18

5 Comments

An additional isset check is required here
Shouldn't there be an array() inside execute() @zerkms
@php NoOb: that's too, but it's not my answer :-)
mysqli extension also supports prepared statements.
I'm using this with jQuery validate 'remote'. I need the result to be true or false, can this be done with PDO ?
1

I would use $_POST instead of $_REQUEST for the points noted in this great answer by the user Pascal MARTIN:

$_REQUEST, by default, contains the contents of $_GET, $_POST and $_COOKIE.

But it's only a default, which depends on variables_order ; and not sure you want to work with cookies.

If I had to choose, I would probably not use $_REQUEST, and I would choose $_GET or $_POST -- depending on what my application should do (i.e. one or the other, but not both) : generally speaking :

  • You should use $_GET when someone is requesting data from your application.
  • And you should use $_POST when someone is pushing (inserting or updating ; or deleting) data to your application.

Either way, there will not be much of a difference about performances : the difference will be negligible, compared to what the rest of your script will do.

Comments

Your Answer

Draft saved
Draft discarded

Sign up or log in

Sign up using Google
Sign up using Email and Password

Post as a guest

Required, but never shown

Post as a guest

Required, but never shown

By clicking "Post Your Answer", you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.