Mark
Reputation: 73
Is this mysqli code using prepared statements safe against SQL injection?
I am using prepared statements to prevent sql injection. I want to know if i am in right track or not to prevent sql injection using prepared statement. Below is an example html form.
<form action="" method="post" name="ff" id="ff">
<input type="text" name="input1">
<input type="text" name="input2">
<input type="submit" value="submit" name="submit">
</form>
Now when submitting the above form then i am using the following php code with prepared statements.
if(isset($_POST["submit"]))
{
$query = "insert INTO table (input1,input2) VALUES (?,?)";
$stmt = mysqli_prepare($link, $query);
mysqli_stmt_bind_param($stmt, "ss", $_REQUEST["input1"], $_REQUEST["input2"]);
$result = mysqli_stmt_execute($stmt);
if ( false===$result ) {
die('Statement failed: '.$stmt->error);
}
}
Please tell me if the above php code with prepared statement is fine or not to prevent sql injection thing. Also please confirm that i'm using user input as a parameter for prepared statement and not building the SQL command by joining strings together.
Upvotes: 1
Views: 816
Answers (1)
Abhinav
Reputation: 8168
It looks fine. Why do you wanna use $_REQUEST. It has certain vulnerabilities. Use $_POST instead. Your code is definitely cool against SQL injection
Upvotes: 2
Related Questions
- PHP MySQLi prepared statement for SELECT (avoid SQL Injection)
- Are MySQLi Prepared Statements sufficient to prevent SQL injection?
- SQL Injection with Prepared Statements
- Why does this MySQLI prepared statement allow SQL injection?
- Do mysqli prepared statements protect fully from mysql injections?
- Mysqli prepared statement (SQL injection prevention)
- MySQLi prepare is for security reasons?
- Would prepared statements completely secure my website from MySQL injection?
- PHP: Injection protection using prepared statements
- Are PHP MySQLi prepared queries with bound parameters secure?