-2

I have been given a project to complete, in the backend there are SQL statements doing various things, as you'd expect.

In the past I have used PDO to construct SQL queries that use parameterisation to avoid injection attacks.

Whilst reading through the code I noticed many queries in the form of:

$sql = "SELECT * FROM detail WHERE email ='$email'";
$query = mysqli_query($dbcon, $sql);

With no parameterisation or cleaning of input.

Is this type of query vulnerable, should there not be some form of parameterisation and more importantly should I explain the risks involved as it seems the developer was unaware of the risk.

chris85
  • 23,591
  • 7
  • 30
  • 47
Jesse Orange
  • 1,621
  • 1
  • 17
  • 58
  • 1
    *Is this type of query vulnerable* Yes, *should there not be some form of parameterisation?* Yes. But you can achive it with mysqli. you must not Change to PDO – Jens Aug 16 '17 at 12:28
  • You can achieve what you want with mysqli, but IMHO, PDO is easier to use than `MySQLi_*` – GrumpyCrouton Aug 16 '17 at 12:50
  • Your code has `mysqli` connections and `PDO` connections? – chris85 Aug 16 '17 at 12:59

1 Answers1

2

Yes it is,

But you can use this with mysqli : http://php.net/manual/en/mysqli.prepare.php

So with your data it will be like : 

$prepare = $dbcon->prepare("SELECT * FROM detail WHERE email = ?");
$prepare->bind_param("s", $email);
$prepare->execute();
Funk Forty Niner
  • 74,372
  • 15
  • 66
  • 132
Thibault Dumas
  • 922
  • 2
  • 8
  • 19