SQL Injection vulnerabilities
nicprov opened this issue · comments
All of the queries you make in your code are done in the following format:
pdo_query("SELECT something from something where something=$var")
pdo_fetch()
The above method provides no way of validating that $var is in fact a valid and correct value. I can override it by passing something like "1=1" and it will just return everything.
PHP provides something called prepared statements where at least some validation is done to help mitigate these issues. You prepare a statement by doing something like:
stmt->prepare("SELECT something from something where something=?);
Then you bind the param
stmt->bind_param('s', $var);
The following resources should help you:
https://stackoverflow.com/questions/134099/are-pdo-prepared-statements-sufficient-to-prevent-sql-injection
https://www.php.net/manual/en/mysqli.quickstart.prepared-statements.php
Mistake on my part, seems to be taken care of elsewhere (config-pdo.php)