Is This Code Preventing SQL Injection Attacks & Why Doesnt It Work?

Question

I am new to PHP and am not sure if my code will prevent it from any SQL attacks. And also, I was confused as to why I cannot logon. It does not give me any error.

    <?php
$host="localhost"; // Host name
$username="*****"; // Mysql username
$password="****"; // Mysql password
$db_name="***"; // Database name
$tbl_name="electoral"; // Table name

// Connect to server and select databse.
mysql_connect("$host", "$username", "$password")or die("cannot connect");
mysql_select_db("$db_name")or die("cannot select DB");

// username and password sent from form
$username=$_POST['username'];
$password=$_POST['password'];

// To protect MySQL injection (more detail about MySQL injection)
$username = stripslashes($username);
$password = stripslashes($password);
$username = mysql_real_escape_string($username);
$password = mysql_real_escape_string($password);

$sql="SELECT * FROM $tbl_name WHERE username='$username' and password= md5('$password')";
$result=mysql_query($sql);

// Mysql_num_row is counting table row
$count=mysql_num_rows($result);
// If result matched $myusername and $mypassword, table row must be 1 row

if($count==1){
// Register $myusername, $mypassword and redirect to file "_____"

session_register("username");
session_register("password");
header("location:electoralcommission.php");
}

?>

any ideas? thanks

@Michael Where do you even see `session_start()`? This code is a mish-mash of fragments. — Mike B, Feb 19 '12 at 23:50
But what happens? Do you get a blank page, the same signin form, etc.? — Jared Farrish, Feb 19 '12 at 23:50
@MikeB I don't, but who knows what was trimmed or not included here.. — Michael Berkowski, Feb 19 '12 at 23:52
oh guys, i just solved it! my session name on the page it was supposed to get redirected to had a different session name then the one that got registered on this page! — Jahed Hussain, Feb 19 '12 at 23:52
I... don't know what to say. Everything about this page is wrong. — Lightness Races in Orbit, Feb 20 '12 at 00:28

score 1 · Answer 1 · edited May 23 '17 at 12:11

1

stripslahes() is unnecessary, and really not a good idea to use. mysql_real_escape_string() is the preferred if you're going to be escaping the string to prevent injections.

Personally, I would recommend you use PDO with Parameterized Queries instead. Parameterized Queries are far, far cleaner than trying to remember if you properly escaped the string or not, plus it at least with some database & driver combinations (not sure about PHP specifically) it will allow the SQL server to cache parts of the query, for better performance (plus, I doubt mysql_... is anything close to speedy!). See this stack overflow page for more information (or many, many other questions).

edited May 23 '17 at 12:11

Community

1
1

answered Feb 19 '12 at 23:57

Kitsune

8,581
2
23
24

I'm not entirelly sure but some versions of MySQL cannot cache prepared statements at all. – arthurprs Feb 20 '12 at 00:15
PDO emulates prepares by default anyway. Sigh. – Charles Feb 20 '12 at 15:29

Is This Code Preventing SQL Injection Attacks & Why Doesnt It Work?

1 Answers1