Issue With Mysqli Prepared Statement When Using AES_ENCRYPT

Question

I have searched extensively before posting. :)

I am trying to do a simple insert into mySQL. I am using mysqli using prepared statements. Below is the code:

$sql_query = "UPDATE $table SET $name = AES_ENCRYPT(?,'$key') WHERE $id_name = '$_SESSION[$id_name]'";
$stmt = $mysqli->prepare($sql_query);
$stmt->bind_param('b', $value);
$stmt->execute();

Yes, I am declaring $mysqli with a connection to the mySQL database server earlier in the code. $key is also declared earlier in the script. Below is the output into the mySQL general log file when this code is invoked:

120104 10:46:18   359 Connect   root@localhost on payday-loan-leads
                  359 Query     SELECT table_location, id_name, encrypt FROM insert_information WHERE required_field_name = 'first_name'
                  359 Prepare   UPDATE personal_info SET first_name = AES_ENCRYPT(?,'^&IK8uBo92X04jhAHPUH(Y(8p3)&^ndlkj32') WHERE personal_id = '5282'
                  359 Execute   UPDATE personal_info SET first_name = AES_ENCRYPT('','^&IK8uBo92X04jhAHPUH(Y(8p3)&^ndlkj32') WHERE personal_id = '5282'
                  359 Close stmt
                  359 Quit

As you can see, mySQL is preparing the INSERT query but does not capture the value of $value. When I remove the AES_ENCRYPT from the $sql_query, it works like a charm:

$stmt = $mysqli->prepare("UPDATE $table SET $name = ? WHERE $id_name = '$_SESSION[$id_name]'");
$stmt->bind_param('s', $value);

So the problem is with the AES_ENCRYPT function of mySQL. I tried moving the function into the bind_param line and this did not work. Anyone have any ideas here?

Answer 1

You use b (blob) for binding in the aes version, but s (string) in the non-aes version. Try s in the AES version - it shouldn't matter WHERE a paramter appears in a query, as long as it's not use for a field or table name.