Solved

is a prepared statement still safe from Sql injection if not using ?

Posted on 2016-10-08
3
46 Views
Last Modified: 2016-10-08
I just want to select pretty much all records from a particular table. There is no WHERE clause and I don't think I have a place for the "?" So, is this still safe from SQL injection or do I have to change something?

$stmt = $link->prepare("SELECT `contact_name`, `contact_email`, `contact_message`, `contact_date` FROM `contact_form` ORDER BY `contact_id` DESC");
$stmt->execute();
$result = $stmt->get_result();
$numRows = $result->num_rows;
if($numRows > 0) {
	
		while($row = $result->fetch_assoc()){
		$db_name = clean_user_input($row['contact_name']);
		$db_email = filter_var($row['contact_email'], FILTER_SANITIZE_EMAIL);
		$db_message = clean_user_input($row['contact_message']);
		$db_date = clean_user_input($row['contact_date']);
	}
}

Open in new window

0
Comment
Question by:Black Sulfur
  • 2
3 Comments
 
LVL 54

Accepted Solution

by:
Julian Hansen earned 500 total points
ID: 41835002
Injection attacks apply to when you are using data sent to your script as part of the query.
$stmt = $link->prepare("SELECT `contact_name`, `contact_email`, `contact_message`, `contact_date` FROM `contact_form` ORDER BY `contact_id` DESC");

Open in new window

You have no parameters to this query - no data from outside is being sent to it - so therefore it cannot be used in an injection attack.

An injection attack happens when you do something like this
$username = $_POST['username'];
$password = $_POST['password'];
$query = <<< QUERY
SELECT * FROM users WHERE username='{$username}' AND password='{$password}'
QUERY;

Open in new window

If $username and $password are not sanitized then a malicious user could send through a 'username/password' that alters the query.
For instance
username="' OR 1=1;INSERT INTO users (username, password') VALUES('baduser', 'diabolical');SELECT 1 WHERE '1'=1'";

Open in new window

This results in the following 3 queries
SELECT * FROM users WHERE username='' OR 1=1;
INSERT INTO users (username, password') VALUES('baduser', 'diabolical');
SELECT 1 WHERE '1'='1' AND password='{$password}'

Open in new window

We have injected malicious SQL code into our seemingly benign query and changed it to do something completely different and malicious.

In your case there are no external parameters so no injection attack.
1
 

Author Closing Comment

by:Black Sulfur
ID: 41835007
Thank you!
0
 
LVL 54

Expert Comment

by:Julian Hansen
ID: 41835010
You are welcome.
0

Featured Post

Ransomware-A Revenue Bonanza for Service Providers

Ransomware – malware that gets on your customers’ computers, encrypts their data, and extorts a hefty ransom for the decryption keys – is a surging new threat.  The purpose of this eBook is to educate the reader about ransomware attacks.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Part of the Global Positioning System A geocode (https://developers.google.com/maps/documentation/geocoding/) is the major subset of a GPS coordinate (http://en.wikipedia.org/wiki/Global_Positioning_System), the other parts being the altitude and t…
3 proven steps to speed up Magento powered sites. The article focus is on optimizing time to first byte (TTFB), full page caching and configuring server for optimal performance.
Explain concepts important to validation of email addresses with regular expressions. Applies to most languages/tools that uses regular expressions. Consider email address RFCs: Look at HTML5 form input element (with type=email) regex pattern: T…
The viewer will learn how to dynamically set the form action using jQuery.

810 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question