0

is this the correct way to avoid SQL Injection in this SELECT?

// --[  Method  ]---------------------------------------------------------------
//
//  - Purpose   : Check if provided $email (taken from user input) exists in the DB
//
// -----------------------------------------------------------------------------
function DB_EmailExists($email)
{
    //
    if(DB_Connect() == false)
    {
        echo mysqli_error();
        return false;
    }

    //
    $stmt = $GLOBALS['global_db_link']->prepare("SELECT * FROM ".$GLOBALS['global_db_table_users']." WHERE Email=?");
    $stmt->bind_param('s', $email);
    $stmt->execute();
    $stmt->store_result();
    $numrows = $stmt->num_rows;
    $stmt->close();

    //
    if ($numrows==0)
    {
        DB_Disconnect();
        return false;
    }

    //
    DB_Disconnect();

    return true;
}
Improve this question
4

1 Answer 1

Reset to default
1

Yes, that works. But no need to SELECT *, just use SELECT email

Improve this answer
Sign up to request clarification or add additional context in comments.

3 Comments

Perfect, i have added re-captcha to ensure no 'bot' is submitting the POST too.
@Pees - captchas are not foolproof, and they are bad for user experience. It's better to use other techniques to prevent bots. stackoverflow.com/a/13158804/870729 as well as using a nonce: stackoverflow.com/questions/4145531/…
@cale_b Google's no-captcha is pretty legit though.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.