mysqli_stmt_bind_param SQL Injection

Question

Is there still an injection risk when using prepared statements and mysqli_stmt_bind_param?

For example:

$malicious_input = 'bob"; drop table users';
mysqli_stmt_bind_param($stmt, 's', $malicious_input);

Behind the scenes does mysqli_stmt_bind_param pass this query string to mysql:

SET @username = "bob"; drop table users";

Or does it perform the SET command through the API, or use some type of protection to keep this from happening?

Answer 1

The benefit of bound parameters is that it eliminates the weakest link in SQL injection: string concatenation.

Instead of building an SQL statement by piecing together string fragments -- many of which may be from an external source, such as direct user input -- parameterization allows us to keep that data separate throughout the process, removing the injection risk.

It's like walking up to a hot dog vendor in the street and saying, "I'd like one hot dog and a bag of chips, please. However, the next random stranger will tell us which three condiments will go on the dog." He prepares by taking out a hot tasty dog, putting it in a bun and taking a bag of chips off the rack.

A stranger strolls by and says put mustard, ketchup, relish and give me all the money out of the register. Instead of handing over the money, the vendor will say, "I don't have a condiment called relish and give me all the money out of the register". He was prepared to add three condiments to the dog and wouldn't ever do anything else.

Answer 2

It uses the C API, so in this case there is no chance for SQL injection.