Hey everyone,
I'm trying to harden some of my PHP code and use mysqli prepared statements to better validate user input and prevent injection attacks.
I switched away from mysqli_real_escape_string as it does not escape % and _. However, when I create my query as a mysqli prepared statement, the same flaw is still present. The query pulls a users salt value based on their username. I'd do something similar for passwords and other lookups.
Code:
$db = new sitedatalayer();
if ($stmt = $db->_conn->prepare("SELECT `salt` FROM admins WHERE `username` LIKE ? LIMIT 1")) {
$stmt->bind_param('s', $username);
$stmt->execute();
$stmt->bind_result($salt);
while ($stmt->fetch()) {
printf("%s\n", $salt);
}
$stmt->close();
}
else return false;
- Am I composing the statement correctly?
- If I am what other characters need to be examined? What other flaws are there?
- What is best practice for doing these types of selects?
Thanks,