Reputation: 13
protecting against injection in an advanced MySQL stored procedure statement in PHP
I am using an XML string passed into a stored procedure to store data into my database.
In general, I use PDO to create prepared statements to avoid SQL injection via bindParam() and bindValue(), then execute(). However, in order to optimize my database, I have decided to implement a stored procedure that takes in a large set of XML data and does all of the writing at once.
The stored procedure will use an iterator to go through the XML and insert rows into the database.
Using ExtractValue which uses XPath notation, I can do something like this:
CREATE DEFINER=`$DBU`@`%` PROCEDURE `write_comment_rows`(In xml_string text)
BEGIN
insert into my_table (comment) values (
ExtractValue(xml_string, 'user_data/comment_field')
);
END;
How can I make sure the data in my XML stored in comment_field is safe to put into my database?
Upvotes: 1
Views: 237
Answers (1)
Reputation: 157896
I see no optimization in this approach. A PHP-based parsing, followed by a series of prepared inserts wrapped in a transaction, would be blazing fast.
Anyway, there are inline prepared statements can be used in a procedure
Upvotes: 1
Related Questions
- which method to follow to prevent SQL injection in MySql Stored Procedure
- How do protect yourself against SQL injection when using prepared statements/store procedures in PHP?
- mysql PDO and stored procedure dynamic SQL injection
- How to avoid mysql injections using PDO
- SQL injection prevention on dynamic parameters
- SQL Injections PDO Protect
- pdo to prevent sql injection
- Preventing SQL injections in 2012
- SQL Injection Protection
- PHP: Injection protection using prepared statements