CODEWITHSUNDEEP
phpmysqlpdo
TimSim
TimSim

Reputation: 4036

Do I have to sanitize user input with prepared SQL statements?

Is this considered completely safe?

$stmt = $dbhandler->prepare("update sometable set somefield=:somestring");
$stmt->bindParam(":somestring",$_REQUEST["hack_me_please"],PDO::PARAM_STR);
$stmt->execute();

And if not, what could make it safer? I'm assuming there are unknown vulnerabilities in PDO/MySQL/PHP that may be exploited in the future so I'm wondering if there is anything reasonable I can do make my queries safer, or is it out of my hands with prepared statements.

If it is this easy, why is SQL injection still a thing? Shouldn't it have gone the way of polio?

Upvotes: 0

Views: 1902

Answers (2)

Rob
Rob

Reputation: 12872

Your example is completely safe because it passes the user input parameters separate from the query string. The reason sql injection still exists is because a lot of users still use the deprecated mysql_* api/driver and are unaware of the alternatives. Also, even using pdo or mysqli you can still pass user input directly into the query string instead of binding it separately.

Upvotes: 1

The Alpha
The Alpha

Reputation: 146219

No, it's not necessary to sanitize inputs when using prepared statement to protect sql injections but you may do it if you want for any other reason.

If it is this easy, why is SQL injection still a thing? Shouldn't it have gone the way of polio?

it's easy for those who knows about it, nothing is easy unless you know it. I believe sql injection doesn't happen a lot nowadays.

Upvotes: 2

Related Questions