LeapFixSeverity: High
Score: 7.5
Accurracy: Confirmed
Language: php
CVSS v3.1: /AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Potential SQL Injection found in SELECT query.
Concatenating user input directly into SQL SELECT queries can lead to SQL Injection vulnerabilities. Consider using parameterized queries or prepared statements.Please note that we have two problems in this code: The lack of sanitization of $_GET['username'];
And in the SQL Injection query this concatenation format leads to a SQL Injection vulnerability:
where username = '".$user_input."'
...
$user_input = $_GET['username'];
$sql = "SELECT * FROM users WHERE username = '".$user_input."'";
...This example "how to fix your code!"
Note the construction of the query using ?. And parameterization uses bin_param to ensure the security of the query.
This is just example:
$stmt = $conn->prepare("SELECT * FROM users WHERE username = ?");
$stmt->bind_param("s", $user_input);
$stmt->execute();
$result = $stmt->get_result();
if ($result->num_rows > 0) {
while($row = $result->fetch_assoc()) {
echo "id: " . $row["id"]. " - Nome: " . $row["username"]. " - Email: " . $row["email"]. "<br>";
}
} else {
echo "0 resultados";
}
$stmt->close();
$conn->close();