Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

PHP: Prepared statements (newbie), just need to confirm this about SQL injection

I have long used the mysql_query() to do my stuff but now I am shifting to prepared statements for two reasons:
performance and no sql injection possibility

This is how I am using it:

function add_new_user($e_mail1,$username,$pass)
    {
    require_once "db.php";

$stmt = $mysqli->prepare("INSERT INTO un_users VALUES ('',?, ?,0,0,?,0)");
$stmt->bind_param('sss', $e_mail1, $username,$pass); 

$stmt->execute();    
$stmt->close();
    }

I am not sanitizing the three variables ($e_mail1,$username,$pass) when i pass them to the function or anything else.

Am I doing it the correct way or did I screw up somewhere or need to do something else? I'm a newbie with this (still going through the docs) so feel free to shower your knowledge :D

Thanks!

like image 933
Ryan Avatar asked Jun 16 '11 14:06

Ryan


People also ask

Can you do SQL injection in prepared statements?

Wikipedia says: Prepared statements are resilient against SQL injection, because parameter values, which are transmitted later using a different protocol, need not be correctly escaped. If the original statement template is not derived from external input, SQL injection cannot occur.

Do prepared statements Stop SQL injection?

A prepared statement is a parameterized and reusable SQL query which forces the developer to write the SQL command and the user-provided data separately. The SQL command is executed safely, preventing SQL Injection vulnerabilities.

What is SQL injection in PHP with example?

What is PHP SQL Injection? When an attacker exploits a PHP application via an SQL Injection, they can gain access to the application's database and make the application execute unauthorized injected SQL commands to control the behavior of the application.


1 Answers

Yes, you are doing it correctly.

like image 143
alex Avatar answered Oct 20 '22 15:10

alex