Issue With Mysqli Prepared Statement When Using AES_ENCRYPT
-
14-04-2021 - |
Question
I have searched extensively before posting. :)
I am trying to do a simple insert into mySQL. I am using mysqli using prepared statements. Below is the code:
$sql_query = "UPDATE $table SET $name = AES_ENCRYPT(?,'$key') WHERE $id_name = '$_SESSION[$id_name]'";
$stmt = $mysqli->prepare($sql_query);
$stmt->bind_param('b', $value);
$stmt->execute();
Yes, I am declaring $mysqli with a connection to the mySQL database server earlier in the code. $key is also declared earlier in the script. Below is the output into the mySQL general log file when this code is invoked:
120104 10:46:18 359 Connect root@localhost on payday-loan-leads
359 Query SELECT table_location, id_name, encrypt FROM insert_information WHERE required_field_name = 'first_name'
359 Prepare UPDATE personal_info SET first_name = AES_ENCRYPT(?,'^&IK8uBo92X04jhAHPUH(Y(8p3)&^ndlkj32') WHERE personal_id = '5282'
359 Execute UPDATE personal_info SET first_name = AES_ENCRYPT('','^&IK8uBo92X04jhAHPUH(Y(8p3)&^ndlkj32') WHERE personal_id = '5282'
359 Close stmt
359 Quit
As you can see, mySQL is preparing the INSERT query but does not capture the value of $value. When I remove the AES_ENCRYPT from the $sql_query, it works like a charm:
$stmt = $mysqli->prepare("UPDATE $table SET $name = ? WHERE $id_name = '$_SESSION[$id_name]'");
$stmt->bind_param('s', $value);
So the problem is with the AES_ENCRYPT function of mySQL. I tried moving the function into the bind_param line and this did not work. Anyone have any ideas here?
Solution
You use b
(blob) for binding in the aes version, but s
(string) in the non-aes version. Try s
in the AES version - it shouldn't matter WHERE a paramter appears in a query, as long as it's not use for a field or table name.