0

I'm new here to ask a question. Sorry if my question had miss explanation. I just wanna ask if my PHP code is secure enough. Please find below is the source code:

Get the ID for choosing the Value

/*Create a new Query for get all the ID from each of Venue Type on the Administration Database*/
$Q_VenueType = "SELECT Biz_ID FROM Biz";

$R_VenueType = $connection->query($Q_VenueType);

if ($R_VenueType->num_rows > 0) {
    //Success Condition
    $rows = array();
    while ($row = $R_VenueType->fetch_assoc()) {
        $rows[] = $row;
    }

    echo json_encode($rows);

    $R_VenueType->close();

}else{
    //Failed Condition
    echo('0');
}

mysqli_close($connection);

Get Value with the ID as an Input

//Create Variable to get the Venue Type Value by their ID.
$VenueType_ID = htmlspecialchars($_POST['TypeID'], ENT_QUOTES);

/*Create a new Query for get all the ID from each of Venue Type on the Administration Database*/
$Q_VenueTypeValue = "SELECT Biz_Name FROM Biz WHERE Biz_ID = '".$VenueType_ID."'";

$R_VenueTypeValue = $connection->query($Q_VenueTypeValue);

if ($R_VenueTypeValue->num_rows > 0) {
    //Success Condition
    $rows = array();
    while ($row = $R_VenueTypeValue->fetch_assoc()) {
        $rows[] = $row;
    }
    echo json_encode($rows);

}else{
    //Failed Condition
    echo('0');
}

mysqli_close($connection);

Question:

1.) Is my input for handling the user input already in the safe condition on this age? ($VenueType_ID = htmlspecialchars($_POST['TypeID'], ENT_QUOTES);)

2.) Is my query for processing into my database already in the safe condition on this age? ($Q_VenueTypeValue = "SELECT Biz_Name FROM Biz WHERE Biz_ID = '".$VenueType_ID."'"; and $Q_VenueType = "SELECT Biz_ID FROM Biz";)

3.) Is my fetching data code already in the safe condition on this age? (

if ($R_VenueTypeValue->num_rows > 0) {
        //Success Condition
        $rows = array();
        while ($row = $R_VenueTypeValue->fetch_assoc()) {
            $rows[] = $row;
        }
        echo json_encode($rows);

    }else{
        //Failed Condition
        echo('0');
    }

    mysqli_close($connection);

)

If there is not safe code or condition with all the codes kindly tell me how is it to be safe? What I need to add or change?

Pardon for my English guys :). Please ask for further information, Thank you for the answer before.

user236353
  • 11
  • 1
  • tl;dr: No, because `htmlspecialchars` isn't for passing parameters to a database. – Joseph Sible-Reinstate Monica Jun 10 '20 at 04:25
  • @JosephSible-ReinstateMonica Thanks sir for your answer. I've read the forum but still did not understand that much. I just get the concept, there is Output and Input security. Maybe my question is not clearly. What I asked is 1.) Is my Variable for user input already safe? If not how is it to be safe? What I need to add or change?, 2.) Is my query already safe? If not how is it to be safe? What I need to add or change?, 3.) Is my fetching data already safe? If not how is it to be safe? What I need to add or change?. Sorry for my slow brain. – user236353 Jun 10 '20 at 05:33
  • @JosephSible-ReinstateMonica For what I read on the forum that you gave me. I need to change my input from user to be something like this? `$VenueType_ID = htmlspecialchars($_POST['TypeID'], ENT_QUOTES, 'UTF-8')` – user236353 Jun 10 '20 at 05:45
  • 1
    *facepalm* No, that's wrong too. You need to use prepared statements. – Joseph Sible-Reinstate Monica Jun 10 '20 at 05:50
  • Have you already tried using SAST and DAST based code review tools which are available for free? – Arpit Rohela Jun 10 '20 at 10:31
  • @dmuensterer That's dangerously misleading. A novice could easily end up incorrectly interpreting your comment to mean "since I'm using `mysqli`, I'm safe from SQL injection without having to do anything", which isn't true. – Joseph Sible-Reinstate Monica Jun 10 '20 at 12:56
  • @JosephSible-ReinstateMonica Hello sir, sorry for the late reply. Thank you for answering my questions please bare with me since I'm a little bit new into PHP. I've try PDO Statement but it didn't work with my C# code since I'm using SimpleJson.cs I need to get the value from my `PHP` something like this `"Value_ID": "1"`. If I using the PDO Statement it wont get the result like I needed. I just get the `"1"` value instead of with the name of my table. Do you have any suggestion? – user236353 Jun 15 '20 at 09:13

1 Answers1

2

I just wanna ask if my PHP code is secure enough

This question cannot be answered. A security assessment is very complex and bases on a thorough risk assessment.

Secure for what? What kind of attacks are you foreseeing?

  • DOS? I don't see any protection from what you've shown here (might be implemented somewhere else)
  • SQL injection? You're using htmlspecialchars(), not htmlentities(), UTF-7 XSS attacks will be possible. In addition I suggest using PDO prepared statements instead of mysqli
dmuensterer
  • 1,144
  • 4
  • 13