Member Avatar for TheFearful

Hey everyone, I have created a PHP web application that allows people of different permissions to do certain things such as read-only, add, update, or delete. That works pefectly. However, it came across my mind that I have not done anything to prevent against SQL injection or XSS attacks. I have little to no knowledge on how to do that. I'll show what I have and maybe a little guidance can help me learn how to do some type of hardening on my tables.

<?php
        //connects to the Database
        include_once("sqlConnect.php");

        //Checks the previous page for the choice selected from the Dropdown menu

        if(isset($_POST['currentUser']))
        {
                $currentUser = $_POST['currentUser'];
                $sql5 = "SELECT * FROM engineers WHERE UserID='$currentUser'";
                $result3 = mysqli_query($conn, $sql5);
                $row3 = mysqli_fetch_array($result3);
                $Access = $row3["AccessCode"];
                if ($Access <= 5)
                {
                        if(isset($_POST['engineers']))
                        {
                                $UserID = $_POST['engineers'];
                                //SQL command to pull information from the table where Sales Engineers are
                                $sql = "SELECT * FROM engineers WHERE UserID='$UserID'";
                                //The result is saved here
                                $result = mysqli_query($conn, $sql);
                                //Will fetch the information
                                //Slightly redundant since we will only be selecting only one
                                //entry at a time
                                while($row = mysqli_fetch_array($result))
                                {
                                        $EmployeeID = $row["EmployeeID"];
                                        $FirstName = $row["FirstName"];
                                        $LastName = $row["LastName"];
                                        $Extension = $row["Extension"];
                                        $Telephone = $row["Telephone"];
                                        $Email = $row["Email"];
                                        $PPhone = $row["PersonalPhone"];
                                        $MPhone = $row["Mobile"];
                                        $TeleAgent = $row["TelephoneAgent"];
                                        $Department = $row["Department"];
                                        $Access = $row["AccessCode"];
                                        $UserID = $row["UserID"];

                                }
                        }

                }
                 else
                {
                        echo "<script> alert('You do not have permission to edit');
                                window.history.back();
                                </script>";
                }
        }

This is just a snippet of what I have. Pretty much, I will have a page that will add and I will also have another page to help delete. Same kind of thing but for different queries. Does anyone know what I can do to help make it harder to do SQL injection or XSS? Please don't give me code unless it's something that is really obvious that I should be doing. I want to learn, so a snippet here or there or a good article that can help me will be better for me. Thank you! By the way, I tried looking this up on google but can't really understand what the person who wrote the article was doing.

NEVER allow direct SQL code to be passed to your application. I always use stored procedures in the database and data binding to eliminate SQL injection altogether. You can write some php functions that take user input for data modifications and such and those can in turn parse the data to avoid "bad stuff", then calling the stored procedures with the required arguments in turn.

Member Avatar for TheFearful

This is the first time I have been hearing about stored procedures. I don't know if that is different than using mysqli. I tried this example but want to know if I can do that for a SELECT * command

 $stmt = mysqli_prepare($conn, "SELECT AccessCode FROM engineers WHERE UserID=?");
                mysqli_bind_param($stmt, "s", $currentUser);

/*mysqli_stmt_bind_param($stmt, "s", $currentUser);
                mysqli_stmt_execute($stmt);

                mysqli_stmt_bind_result($stmt, $AccessCode);

                mysqli_stmt_fetch($stmt);
                printf("%s has access code %s \n", $currentUser, $AccessCode);
                mysqli_stmt_close($stmt);*/
Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.