Reputation: 333
SQL injection Whilst Using Binds/Prepared Statements?
I know nothing about SQL injection apart from the process to block it.
I was wondering, if an attacker would modify my prepared statement from:
$DB = $Con->prepare("SELECT * FROM Test WHERE username=?");
$DB->bind_param('s',$Username);
$DB->execute();
And his statement he entered was:
x' DROP TABLE Test
How would the bind/prepared statement process this request?
Would it return an error or continue? as the bind_param links specific values to said SQL Statement?
Upvotes: 0
Views: 102
Answers (3)
Reputation: 5896
Once you prepare a statement, it is pre-compiled. So any parameters you bind to it are sent as raw data and in no way could modify the SQL statement.
Your example would work fine, it would select all rows with the username x' DROP TABLE Test.
Upvotes: 0
Reputation: 91742
No, the database would simply look for a record that has a username of x' DROP TABLE Test so you would probably end up with an empty result set.
Upvotes: 1
Reputation: 5062
When using bind_param, the values will be escaped for you. You should still validate the data to make sure it's correct, but it's safe from injection
Upvotes: 0
Related Questions
- mysqli prepared statement without bind_param
- mysqli bind_param Number of variables doesn't match number of parameters in prepared statement
- How to prepare SQL query dynamically (column names too) avoiding SQL injection
- php mysqli_bind_param function issues. Trying to implement prepared statements
- PHP MySQLi prepared statement bind errors on certain characters?
- MySQLi binding parameters in a prepared statement doesn't work unless inserted after "WHERE"
- Mysqli prepared statement (SQL injection prevention)
- The binding process in mysql prepared statements
- How php/mysqli ( prepared statements + bind params ) protect against SQL Injection?
- mysqli_stmt_bind_param SQL Injection