Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

is a prepared statement still safe from Sql injection if not using ?

Posted on 2016-10-08
3
Medium Priority
?
63 Views
Last Modified: 2016-10-08
I just want to select pretty much all records from a particular table. There is no WHERE clause and I don't think I have a place for the "?" So, is this still safe from SQL injection or do I have to change something?

$stmt = $link->prepare("SELECT `contact_name`, `contact_email`, `contact_message`, `contact_date` FROM `contact_form` ORDER BY `contact_id` DESC");
$stmt->execute();
$result = $stmt->get_result();
$numRows = $result->num_rows;
if($numRows > 0) {
	
		while($row = $result->fetch_assoc()){
		$db_name = clean_user_input($row['contact_name']);
		$db_email = filter_var($row['contact_email'], FILTER_SANITIZE_EMAIL);
		$db_message = clean_user_input($row['contact_message']);
		$db_date = clean_user_input($row['contact_date']);
	}
}

Open in new window

0
Comment
Question by:Black Sulfur
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
3 Comments
 
LVL 59

Accepted Solution

by:
Julian Hansen earned 2000 total points
ID: 41835002
Injection attacks apply to when you are using data sent to your script as part of the query.
$stmt = $link->prepare("SELECT `contact_name`, `contact_email`, `contact_message`, `contact_date` FROM `contact_form` ORDER BY `contact_id` DESC");

Open in new window

You have no parameters to this query - no data from outside is being sent to it - so therefore it cannot be used in an injection attack.

An injection attack happens when you do something like this
$username = $_POST['username'];
$password = $_POST['password'];
$query = <<< QUERY
SELECT * FROM users WHERE username='{$username}' AND password='{$password}'
QUERY;

Open in new window

If $username and $password are not sanitized then a malicious user could send through a 'username/password' that alters the query.
For instance
username="' OR 1=1;INSERT INTO users (username, password') VALUES('baduser', 'diabolical');SELECT 1 WHERE '1'=1'";

Open in new window

This results in the following 3 queries
SELECT * FROM users WHERE username='' OR 1=1;
INSERT INTO users (username, password') VALUES('baduser', 'diabolical');
SELECT 1 WHERE '1'='1' AND password='{$password}'

Open in new window

We have injected malicious SQL code into our seemingly benign query and changed it to do something completely different and malicious.

In your case there are no external parameters so no injection attack.
1
 
LVL 1

Author Closing Comment

by:Black Sulfur
ID: 41835007
Thank you!
0
 
LVL 59

Expert Comment

by:Julian Hansen
ID: 41835010
You are welcome.
0

Featured Post

NEW Veeam Agent for Microsoft Windows

Backup and recover physical and cloud-based servers and workstations, as well as endpoint devices that belong to remote users. Avoid downtime and data loss quickly and easily for Windows-based physical or public cloud-based workloads!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

When table data gets too large to manage or queries take too long to execute the solution is often to buy bigger hardware or assign more CPUs and memory resources to the machine to solve the problem. However, the best, cheapest and most effective so…
By, Vadim Tkachenko. In this article we’ll look at ClickHouse on its one year anniversary.
The viewer will learn how to count occurrences of each item in an array.
The viewer will learn how to look for a specific file type in a local or remote server directory using PHP.
Suggested Courses

604 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question