I keep getting told my code is vulnerable to SQL injection, however I have since converted to mysqli extensions from mysql, and I've tried SQL injection attacks on myself but none of them seem to work so my question is...
Is my code actually secure, and if not, why wont the SQL injection work?
<?php
session_start();
if (!isset($_SESSION["email"])){
header ("location: logout.php");
die();
}
include('connect-db.php');
if (mysqli_connect_errno())
{
echo "Failed to connect to mysqli: " . mysqli_connect_error();
}
else
{
}
function newUser()
{
$forename = $_POST['forename'];
$surname = $_POST['surname'];
$email = $_POST['email'];
$securityq = $_POST['securityq'];
$securitya = $_POST['securitya'];
$password = ($_POST['password']);
$query = "INSERT INTO admin (forename,surname,email,securityq, securitya,password) VALUES ('$forename','$surname','$email','$securityq','$securitya','$password')";
include('connect-db.php');
$data = mysqli_query ($db, $query)or die(mysqli_error($db));
if($data)
{
}
}
function SignUp()
{
if(!empty($_POST['email']))
{
include('connect-db.php');
$query = mysqli_query ($db, "SELECT * FROM admin WHERE email = '$_POST[email]'")
or die(mysqli_error());
if(!$row = mysqli_fetch_array($query) or die(mysqli_error()))
{
newuser();
echo ("<SCRIPT LANGUAGE='JavaScript'>
window.alert('Admin Registration Successful')
window.location.href='adminhome.php';
</SCRIPT>");
}
else
{
echo ("<SCRIPT LANGUAGE='JavaScript'>
window.alert('Sorry You are already a registered user!')
window.location.href='adminhome.php';
</SCRIPT>");
}
}
}
if(isset($_POST['submit']))
{
SignUp();
}
?>
The error I get upon attempted SQL injection are all similar to this one:
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'DROP table pdf',','lll','pppppp')' at line 1
I have also tried lots of different types of SQL injection and none of them work