Audit required: SQL query might be vulnerable to injection attacks PHP-A1002
Database queries should not be vulnerable to injection attacks
264 $rs = pg_prepare($dbconn, "R_S",
265 "SELECT segid, major, minor from roads_base "
266 ." WHERE archive_begin <= $1 and archive_end > $1 ORDER by major ASC");
267 $rs = pg_execute($dbconn, "R_S", Array("${year}-${month}-01"));268 for ($i=0; $row = @pg_fetch_array($rs, $i); $i++)
269 {
270 $s .= "<option value=\"". $row["segid"] ."\" ";Database queries should not be vulnerable to injection attacks
260
261function segmentSelect($dbconn, $year, $month, $selected, $name="segid")
262{
263 $s = "<select name=\"$name\">\n";264 $rs = pg_prepare($dbconn, "R_S",
265 "SELECT segid, major, minor from roads_base "
266 ." WHERE archive_begin <= $1 and archive_end > $1 ORDER by major ASC");Database queries should not be vulnerable to injection attacks
246} // End of daySelect
247
248function daySelect2($selected, $name, $jsextra=''){
249 $s = "<select name='$name' {$jsextra}>\n";250 for ($k=1;$k<32;$k++){
251 $s .= "<option value=\"".$k."\" ";
252 if ($k == (int)$selected){Database queries should not be vulnerable to injection attacks
221
222
223function monthSelect2($selected, $name, $jsextra=''){
224 $s = "<select name='$name' {$jsextra}>\n";225 for ($i=1; $i<=12;$i++) {
226 $ts = mktime(0,0,0,$i,1,0);
227 $s .= "<option value='".$i ."' ";Database queries should not be vulnerable to injection attacks
208 $start = intval($start);
209 $now = time();
210 $tyear = ($endyear != null)? $endyear: strftime("%Y", $now);
211 $s = "<select name='$fname' {$jsextra}>\n";212 for ($i=$start; $i<=$tyear;$i++) {
213 $s .= "<option value='".$i ."' ";
214 if ($i == intval($selected)) $s .= "SELECTED";
Description
Using user-provided data while executing an SQL query can lead to SQL injection attacks. An SQL injection attack consists of the insertion or "injection" of a malformed SQL query via the input data given to an application. It is a prevalent attack vector and causes significant damage if the incoming data is not properly sanitized.
In the past it has led to the following vulnerabilities:
If the query contains any variable input then parameterized prepared statements should be used instead. Alternatively, the data must be properly formatted and all strings must be escaped using the mysqli_real_escape_string() function.
Bad practice
function getUser() {
$id = $_GET['id'];
$query = "SELECT * FROM users WHERE id = '" . $id . "'";
$conn = getConnection();
$result = mysqli_query($conn, $query);
$user = mysqli_fetch_array($result);
return $user;
}
Recommended
function getUser() {
$id = $_GET['id'];
$mysqli = getConnection();
$query = "SELECT * FROM users WHERE id = ':id'";
$stmt = $mysqli->prepare($query);
$stmt->bindParam(':id', $id);
$stmt->execute();
$result = $stmt->get_result();
return $result->fetch_assoc();
}