Solved

is a prepared statement still safe from Sql injection if not using ?

Posted on 2016-10-08
3
43 Views
Last Modified: 2016-10-08
I just want to select pretty much all records from a particular table. There is no WHERE clause and I don't think I have a place for the "?" So, is this still safe from SQL injection or do I have to change something?

$stmt = $link->prepare("SELECT `contact_name`, `contact_email`, `contact_message`, `contact_date` FROM `contact_form` ORDER BY `contact_id` DESC");
$stmt->execute();
$result = $stmt->get_result();
$numRows = $result->num_rows;
if($numRows > 0) {
	
		while($row = $result->fetch_assoc()){
		$db_name = clean_user_input($row['contact_name']);
		$db_email = filter_var($row['contact_email'], FILTER_SANITIZE_EMAIL);
		$db_message = clean_user_input($row['contact_message']);
		$db_date = clean_user_input($row['contact_date']);
	}
}

Open in new window

0
Comment
Question by:Black Sulfur
  • 2
3 Comments
 
LVL 52

Accepted Solution

by:
Julian Hansen earned 500 total points
ID: 41835002
Injection attacks apply to when you are using data sent to your script as part of the query.
$stmt = $link->prepare("SELECT `contact_name`, `contact_email`, `contact_message`, `contact_date` FROM `contact_form` ORDER BY `contact_id` DESC");

Open in new window

You have no parameters to this query - no data from outside is being sent to it - so therefore it cannot be used in an injection attack.

An injection attack happens when you do something like this
$username = $_POST['username'];
$password = $_POST['password'];
$query = <<< QUERY
SELECT * FROM users WHERE username='{$username}' AND password='{$password}'
QUERY;

Open in new window

If $username and $password are not sanitized then a malicious user could send through a 'username/password' that alters the query.
For instance
username="' OR 1=1;INSERT INTO users (username, password') VALUES('baduser', 'diabolical');SELECT 1 WHERE '1'=1'";

Open in new window

This results in the following 3 queries
SELECT * FROM users WHERE username='' OR 1=1;
INSERT INTO users (username, password') VALUES('baduser', 'diabolical');
SELECT 1 WHERE '1'='1' AND password='{$password}'

Open in new window

We have injected malicious SQL code into our seemingly benign query and changed it to do something completely different and malicious.

In your case there are no external parameters so no injection attack.
1
 

Author Closing Comment

by:Black Sulfur
ID: 41835007
Thank you!
0
 
LVL 52

Expert Comment

by:Julian Hansen
ID: 41835010
You are welcome.
0

Featured Post

What is SQL Server and how does it work?

The purpose of this paper is to provide you background on SQL Server. It’s your self-study guide for learning fundamentals. It includes both the history of SQL and its technical basics. Concepts and definitions will form the solid foundation of your future DBA expertise.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Foreword In the years since this article was written, numerous hacking attacks have targeted password-protected web sites.  The storage of client passwords has become a subject of much discussion, some of it useful and some of it misguided.  Of cou…
Does the idea of dealing with bits scare or confuse you? Does it seem like a waste of time in an age where we all have terabytes of storage? If so, you're missing out on one of the core tools in every professional programmer's toolbox. Learn how to …
Explain concepts important to validation of email addresses with regular expressions. Applies to most languages/tools that uses regular expressions. Consider email address RFCs: Look at HTML5 form input element (with type=email) regex pattern: T…
The viewer will learn how to count occurrences of each item in an array.

920 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now