Link to home
Start Free TrialLog in
Avatar of hrolsons
hrolsonsFlag for United States of America

asked on

Trying to prevent SQL Injection issues

I'm trying to prevent SQL injection issues.

I currently have:

$product_array = $db_handle->runQuery("SELECT photos_new.bookmark, photos_new.pic_online, photo_detail_new.ebay_title,15 AS price FROM photo_detail_new INNER JOIN photos_new ON photo_detail_new.bookmark = photos_new.bookmark  WHERE ebay_title like '%$fname%'");              

Open in new window

I have so far:

   $this->dbConn = $db_handle->connectDB();
   $product_array = $db_handle->prepare("SELECT photos_new.bookmark, photos_new.pic_online, photo_detail_new.ebay_title,15 AS price FROM photo_detail_new INNER JOIN photos_new ON photo_detail_new.bookmark = photos_new.bookmark  WHERE ebay_title like ?");                      $product_array->bind_param("s", $fname);     $product_array->execute();     $data = $product_array->get_result();     $product_array = mysqli_fetch_all($data, MYSQLI_ASSOC);     $st->close();

Open in new window

and it's not working.

I get:

Fatal error: Uncaught Error: Call to undefined method Hera\DBController::prepare() in /home/dh_95geeu/xxxxx.com/simple-shop/indexdetailnew.php:254 Stack trace: #0 {main} thrown in /home/dh_95geeu/xxxxx.com/simple-shop/indexdetailnew.php on line 254

Open in new window

Avatar of gr8gonzo
gr8gonzo
Flag of United States of America image

My guess is that $this->dbConn is your actual DB connection. Try:

$this->dbConn->prepare(...)
Avatar of hrolsons

ASKER

Fatal error: Uncaught Error: Using $this when not in object context in /home/dh_95geeu/xxxxx.com/simple-shop/indexdetailnew.php:253 Stack trace: #0 {main} thrown in /home/dh_95geeu/xxxxx.com/simple-shop/indexdetailnew.php on line 253

Open in new window

Did you edit / splice your code together in what you provided? Because you show this:

$this->dbConn = $db_handle->connectDB();
$product_array = $db_handle->prepare(...);

...so if that first line works, then the second line should work if you do this:

$this->dbConn = $db_handle->connectDB();
$product_array = $this->dbConn->prepare(...);


hmmmm, same thing:
Fatal error: Uncaught Error: Using $this when not in object context in /home/dh_95geeu/xxxxx.com/simple-shop/indexdetailnew.php:253 Stack trace: #0 {main} thrown in /home/dh_95geeu/xxxxx.com/simple-shop/indexdetailnew.php on line 253

Open in new window

Here is the exact code I'm using:
$this->dbConn = $db_handle->connectDB();

$product_array = $this->dbConn->prepare("SELECT photos_new.bookmark, photos_new.pic_online, photo_detail_new.ebay_title,15 AS price FROM photo_detail_new INNER JOIN photos_new ON photo_detail_new.bookmark = photos_new.bookmark  WHERE ebay_title like ?");                 

$product_array->bind_param("s", $fname);
$product_array->execute();
$data = $product_array->get_result();
$product_array = mysqli_fetch_all($data, MYSQLI_ASSOC);
$st->close();

Open in new window

Did you take this code out of a class for testing, by any chance? If you get that error at all, it should be on the first line:

$this->dbConn = $db_handle->connectDB();

...but in your very initial post, it looked like that line was working, which implies it was inside of a class.
Yes, it did come from a class.  Sorry I left that out.

Now I'm not sure how to get this question back on track.
Neither the code provided or the errors mentioned seem related to SQL injections.

Deal with 1x issue at a time.

Get your code working, then run https://sqlmap.org against your code to see if you really have an injection problem.

From the snippet provided, there's no injection problem.

And, you've only provided a snippet... instead of entire codebase...

The only good way to know if you have injection problems is to use a mechanical tool like sqlmap.

Then simply fix any injections surfaced.
ASKER CERTIFIED SOLUTION
Avatar of gr8gonzo
gr8gonzo
Flag of United States of America image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
My advice is to rather use PDO - the options are much better than MySQLi.

To your question - the error is on line 254 - which means we are missing context. Can you attach your full script so we can see what is going on.



@gr8gonzo, that's working really good!!!

Do you know how to add in wildcards?
//$product_array->bind_param("s", $fname);
$product_array->bind_param("s", '%'.$fname.'%');

Open in new window

The above produces an error.
When you use bind_param, it's binding to the specific variable itself, not to the VALUE of the variable.

So if you want to use wildcards with %, just set up a new variable with those wildcard characters and bind to that variable instead:

$fname_wild = '%'.$fname.'%';
$product_array->bind_param("s", $fname_wild);