Solved

is a prepared statement still safe from Sql injection if not using ?

Posted on 2016-10-08
3
49 Views
Last Modified: 2016-10-08
I just want to select pretty much all records from a particular table. There is no WHERE clause and I don't think I have a place for the "?" So, is this still safe from SQL injection or do I have to change something?

$stmt = $link->prepare("SELECT `contact_name`, `contact_email`, `contact_message`, `contact_date` FROM `contact_form` ORDER BY `contact_id` DESC");
$stmt->execute();
$result = $stmt->get_result();
$numRows = $result->num_rows;
if($numRows > 0) {
	
		while($row = $result->fetch_assoc()){
		$db_name = clean_user_input($row['contact_name']);
		$db_email = filter_var($row['contact_email'], FILTER_SANITIZE_EMAIL);
		$db_message = clean_user_input($row['contact_message']);
		$db_date = clean_user_input($row['contact_date']);
	}
}

Open in new window

0
Comment
Question by:Black Sulfur
  • 2
3 Comments
 
LVL 55

Accepted Solution

by:
Julian Hansen earned 500 total points
ID: 41835002
Injection attacks apply to when you are using data sent to your script as part of the query.
$stmt = $link->prepare("SELECT `contact_name`, `contact_email`, `contact_message`, `contact_date` FROM `contact_form` ORDER BY `contact_id` DESC");

Open in new window

You have no parameters to this query - no data from outside is being sent to it - so therefore it cannot be used in an injection attack.

An injection attack happens when you do something like this
$username = $_POST['username'];
$password = $_POST['password'];
$query = <<< QUERY
SELECT * FROM users WHERE username='{$username}' AND password='{$password}'
QUERY;

Open in new window

If $username and $password are not sanitized then a malicious user could send through a 'username/password' that alters the query.
For instance
username="' OR 1=1;INSERT INTO users (username, password') VALUES('baduser', 'diabolical');SELECT 1 WHERE '1'=1'";

Open in new window

This results in the following 3 queries
SELECT * FROM users WHERE username='' OR 1=1;
INSERT INTO users (username, password') VALUES('baduser', 'diabolical');
SELECT 1 WHERE '1'='1' AND password='{$password}'

Open in new window

We have injected malicious SQL code into our seemingly benign query and changed it to do something completely different and malicious.

In your case there are no external parameters so no injection attack.
1
 

Author Closing Comment

by:Black Sulfur
ID: 41835007
Thank you!
0
 
LVL 55

Expert Comment

by:Julian Hansen
ID: 41835010
You are welcome.
0

Featured Post

Free learning courses: Active Directory Deep Dive

Get a firm grasp on your IT environment when you learn Active Directory best practices with Veeam! Watch all, or choose any amount, of this three-part webinar series to improve your skills. From the basics to virtualization and backup, we got you covered.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

These days socially coordinated efforts have turned into a critical requirement for enterprises.
When table data gets too large to manage or queries take too long to execute the solution is often to buy bigger hardware or assign more CPUs and memory resources to the machine to solve the problem. However, the best, cheapest and most effective so…
The viewer will learn how to count occurrences of each item in an array.
The viewer will learn how to create a basic form using some HTML5 and PHP for later processing. Set up your basic HTML file. Open your form tag and set the method and action attributes.: (CODE) Set up your first few inputs one for the name and …

790 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question