SQL Injection with Prepared Statements

StackOverflow https://stackoverflow.com/questions/22498733

Question

Suppose, using PHP and MySQL, I prepare the following SQL statement:

$statement = $connection->prepare("SELECT departmentName FROM departments WHERE department_type='academic' AND buildingName=?")

-- where buildingName is a parameter passed in by the URL's query string (which is validated and becomes bound) and department_type is a known parameter.

Is this style of prepared statement still vulnerable to SQL Injection or any other SQL attack? To be specific, is placing a definitive parameter, in this case department_type, directly into the prepared statement's command string a possible vulnerability?

Was it helpful?

Solution

No, it will not be vulnerable. Using prepared statements is the suggested way to protect against SQLi.

If you are sure department_type parameter is not affected from any user input, then it is safe to place it directly into the query.

A variable's being affected from user input is a bit complicated though. This effect can be indirect as well. For example if department_type is retrieved from database, which was saved on another page being affected by user then it is indirectly affected from user input and should be considered as "not trusted".

OTHER TIPS

It is a good practice to sanitize your input (and sometimes even output) as it may break other parts of your application. Your database will not be affected if you are using prepared statements but if you are serving a web page, it can be affected by an attack.

As an example to possible attack types you can check XSS attacks. It is currently listed as the third most used attack type in owasp website.

It is safe to use department_type directly in the query since department_type='academic' is constant and can not be altered.

Hope these links will help you.

How does PHP PDO's prepared statements prevent sql injection?

Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top