prepared statements - sql injection - PHP Server Side Scripting forum at WebmasterWorld

Forum Moderators: coopster

Message Too Old, No Replies

prepared statements - sql injection

Is it safe?

bethesda

4:22 pm on Nov 15, 2011 (gmt 0)

Hello.
I try to figure it out is my statement are secure enough:


<?php
$db = new mysqli('#*$!', '#*$!', '#*$!', '#*$!');
$stmt = $db->stmt_init();
if($stmt->prepare("SELECT `col1`, `col2` FROM `tab1` WHERE `something` = ?")) {

$stmt->bind_param('i', $parametr);
$parametr = something;
 
$stmt->execute();
$stmt->bind_result($first, $second);
while($stmt->fetch()) {
echo "$first_row - $second_row"; 
}
 
$stmt->close();
}
?>

Thanks ..

rocknbil

5:08 pm on Nov 15, 2011 (gmt 0)

You don't really show **how** input data gets to your statements, and that's where security issues lie.

bethesda

5:16 pm on Nov 15, 2011 (gmt 0)

Does it protect me against sql injection?

topr8

6:01 pm on Nov 15, 2011 (gmt 0)

well in this case the parameter must be an integer so it should be safe.

however it is good practice to check that the data is an integer (or whatever) before using the prepared statement.

also it is good practice, to really lock down your database permissions (just in case) each table and even each column should only have the permissions required by the username ... eg if the user doesn't need to update a table, don't give that user update permissions, ditto: delete, insert etc etc

bethesda

6:43 pm on Nov 15, 2011 (gmt 0)

Thanks.
Can i use mysql instead of mysqli in prepared statements ?


$db = new mysql('#*$!', '#*$!', '#*$!', '#*$!');

doesn't work :-/

penders

4:49 pm on Nov 16, 2011 (gmt 0)

The (old/original) PHP MySQL extension does not support an object orientated interface (procedural only) or prepared statements. So, you will need to use the mysqli extension (or PDO [am.php.net]) for this.