About SQL Injection.
In this interesting discussion it deals with security and SQL Injection in MySQL.
During some days I had faced some big issues in my app. Some users are increasing their referral joining and bypass the referral code system and I don’t understand what happened.
One user had mailed me and said I can bypass your app’s referral system and then I contact him.
They said my app and database is very easy to hack.
Please Help Me!
I am nothing understand what am I do now?
I’m going to follow this tutorial:
Before I start, if you'd like to see an even easier way to use MySQLi prepared statements, check out my wrapper class. Also, here's a great resource to learn PDO prepared statements, which is the better choice for beginners and most people in...
and I’m going to adapt my code to avoid SQL injection.
Note that the PHP code for managing MySQL is found in the server, hosting, not in the application.
mysqli_post_segur.php
<?php
// Juan Antonio Villalpando
// http://kio4.com/appinventor/340D_appinventor_mysqli_inject.htm
// 1.- IDENTIFICACION nombre de la base, del usuario, clave y servidor
$db_host="localhost";
$db_name="my_database";
$db_login="juan";
$db_pswd="contraseña";
// 2.- CONEXION A LA BASE DE DATOS
$link = new mysqli($db_host, $db_login, $db_pswd, $db_name);
if($link->connect_error) {
exit('Error de conexion con la base de datos.');
}
mysqli_report(MYSQLI_REPORT_ERROR | MYSQLI_REPORT_STRICT);
$link->set_charset("utf8mb4");
$boton = $_POST['boton'];
/////////////////////////////// INSERTAR - INSERT ////////////////////////////////////
if ($boton == "btnInsertar"){
$Nombre = $_POST['Nombre'];
$Edad = $_POST['Edad'];
$Ciudad = $_POST['Ciudad'];
$stmt = $link->prepare("INSERT INTO personas (Nombre, Edad, Ciudad) VALUES (?, ?, ?)");
$stmt->bind_param("sss", $Nombre, $Edad, $Ciudad);
$stmt->execute();
$stmt->close();
print("Datos agregados a la base.");
}
/////////////////////////////// BORRAR - DELETE ////////////////////////////////////
if ($boton == "btnBorrar"){
$Nombre = $_POST['Nombre'];
$stmt = $link->prepare("DELETE FROM personas WHERE Nombre = ?");
$stmt->bind_param("s", $Nombre);
$stmt->execute();
$stmt->close();
print("Datos borrados.");
}
////////////////////////////// ACTUALIZAR - UPDATE ///////////////////////////////
if ($boton == "btnActualizar"){
$Nombre = $_POST['Nombre'];
$Edad = $_POST['Edad'];
$Ciudad = $_POST['Ciudad'];
$stmt = $link->prepare("UPDATE personas SET Edad = ?, Ciudad = ? WHERE Nombre = ?");
$stmt->bind_param("sss", $Edad, $Ciudad, $Nombre);
$stmt->execute();
$stmt->close();
print("Datos modificados.");
}
///////////////////// BUSCAR POR NOMBRE - SEARCH BY NAME /////////////////////////////
if ($boton == "btnBuscarNombre"){
$Nombre=$_POST['Nombre'];
$stmt = $link->prepare("SELECT * FROM personas WHERE Nombre = ?");
$stmt->bind_param("s", $Nombre);
$stmt->execute();
$stmt->bind_result($id, $Nombre, $Edad, $Ciudad);
while ( $stmt-> fetch() ) {
echo $id.",".$Nombre.",".$Edad.",".$Ciudad."\n";
}
$stmt->close();
}
/////////////////////// MOSTRAR TABLA - SHOW TABLE /////////////////////////////////////
if ($boton == "btnVerTabla"){
$stmt = $link->prepare("SELECT * FROM personas");
$stmt->bind_param();
$stmt->execute();
$stmt->bind_result($id, $Nombre, $Edad, $Ciudad);
while ( $stmt-> fetch() ) {
echo $id.",".$Nombre.",".$Edad.",".$Ciudad."\n";
}
$stmt->close();
}
/////////////////////// OBTENER ORDENADO - GET SORT /////////////////////////////////////
if ($boton == "btnOrdenar"){
$Columna = $_POST['Columna'];
$stmt = $link->prepare("SELECT * FROM personas ORDER BY $Columna ASC");
$stmt->bind_param();
$stmt->execute();
$stmt->bind_result($id, $Nombre, $Edad, $Ciudad);
while ( $stmt-> fetch() ) {
echo $id.",".$Nombre.",".$Edad.",".$Ciudad.","."\n";
}
$stmt->close();
}
///////////////////////////////////////////////////////////////////
?>
If you also use data encryption, for example with the com.KIO4_SecretKey.aix extension, your information will be more protected.
Regards,
(This Tutorial in Spanish )