Solved

is a prepared statement still safe from Sql injection if not using ?

Posted on 2016-10-08
3
37 Views
Last Modified: 2016-10-08
I just want to select pretty much all records from a particular table. There is no WHERE clause and I don't think I have a place for the "?" So, is this still safe from SQL injection or do I have to change something?

$stmt = $link->prepare("SELECT `contact_name`, `contact_email`, `contact_message`, `contact_date` FROM `contact_form` ORDER BY `contact_id` DESC");
$stmt->execute();
$result = $stmt->get_result();
$numRows = $result->num_rows;
if($numRows > 0) {
	
		while($row = $result->fetch_assoc()){
		$db_name = clean_user_input($row['contact_name']);
		$db_email = filter_var($row['contact_email'], FILTER_SANITIZE_EMAIL);
		$db_message = clean_user_input($row['contact_message']);
		$db_date = clean_user_input($row['contact_date']);
	}
}

Open in new window

0
Comment
Question by:Black Sulfur
  • 2
3 Comments
 
LVL 51

Accepted Solution

by:
Julian Hansen earned 500 total points
Comment Utility
Injection attacks apply to when you are using data sent to your script as part of the query.
$stmt = $link->prepare("SELECT `contact_name`, `contact_email`, `contact_message`, `contact_date` FROM `contact_form` ORDER BY `contact_id` DESC");

Open in new window

You have no parameters to this query - no data from outside is being sent to it - so therefore it cannot be used in an injection attack.

An injection attack happens when you do something like this
$username = $_POST['username'];
$password = $_POST['password'];
$query = <<< QUERY
SELECT * FROM users WHERE username='{$username}' AND password='{$password}'
QUERY;

Open in new window

If $username and $password are not sanitized then a malicious user could send through a 'username/password' that alters the query.
For instance
username="' OR 1=1;INSERT INTO users (username, password') VALUES('baduser', 'diabolical');SELECT 1 WHERE '1'=1'";

Open in new window

This results in the following 3 queries
SELECT * FROM users WHERE username='' OR 1=1;
INSERT INTO users (username, password') VALUES('baduser', 'diabolical');
SELECT 1 WHERE '1'='1' AND password='{$password}'

Open in new window

We have injected malicious SQL code into our seemingly benign query and changed it to do something completely different and malicious.

In your case there are no external parameters so no injection attack.
1
 

Author Closing Comment

by:Black Sulfur
Comment Utility
Thank you!
0
 
LVL 51

Expert Comment

by:Julian Hansen
Comment Utility
You are welcome.
0

Featured Post

What Is Threat Intelligence?

Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

Join & Write a Comment

Developers of all skill levels should learn to use current best practices when developing websites. However many developers, new and old, fall into the trap of using deprecated features because this is what so many tutorials and books tell them to u…
Creating and Managing Databases with phpMyAdmin in cPanel.
Explain concepts important to validation of email addresses with regular expressions. Applies to most languages/tools that uses regular expressions. Consider email address RFCs: Look at HTML5 form input element (with type=email) regex pattern: T…
The viewer will learn how to look for a specific file type in a local or remote server directory using PHP.

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now