Will this approach protect my database from being modified?

Question

All I care about is my database not being altered. I don't have any login or stuff like that so I don't care about account bypassing, I just don't want people to be able to send commands like DROP through this simple HTML form.

Is this correct? It's what I came up after reading another related topic here.

$stmt = $dbh->prepare("INSERT INTO request_song (ip, mesaj, name, oras, pentru, song) VALUES (:ip, :mesaj, :name, :oras, :pentru, :song)");
$stmt->bindParam(':ip', $ip);
$stmt->bindParam(':mesaj', $message);
$stmt->bindParam(':name', $name);
$stmt->bindParam(':oras', $oras);
$stmt->bindParam(':pentru', $pentru);
$stmt->bindParam(':song', $melodie);
$stmt->execute();

Will this fix any potential exploits? This is the form - can any white hats confirm it's safe please?

Brad · Accepted Answer

You seem to be asking if your prepared query code will prevent SQL injection attacks. If that is what you are asking, then yes. Properly used prepared/parameterized queries separate the query (command) from the data. SQL injection attacks work because data is sometimes blindly mixed with the command, allowing someone to control your server via data inputs. Since they are separated in your case, this is not an issue.

Will this fix any potential exploits?

No, and that would be impossible to answer as "yes" anyway. That's a very broad question. You still need to worry about all the other dangers. Don't forget about XSS attacks and what not in the rest of your application.

Will this approach protect my database from being modified?

Answers (2)

Related Questions