-1

I've used a prepared statement when inserting into the database. How can I test that the it prevents SQL injections using PHP and MySQL?

Here's the code:

$addQuery = "INSERT INTO Test(firstName, lastName) VALUES(?,?)";
$addStatement = $this->dbc->prepare($addQuery);
$addStatement->bind_param('ss', 'Test', 'Test');
$addStatement->execute()
wemm
  • 51
  • 7
  • Provide us with how you are doing it, and we could say yes or no. Chances are if you did it right, then its safe as safe can be until hackers figure out a new way to get through the current 'safe' measures. – IncredibleHat Jan 06 '18 at 18:28
  • When using a prepared statement instead of building a statement from user input by string concatenation, then SQL injection is not possible. Just show your code to see that you do actually use a prepared statement. – NineBerry Jan 06 '18 at 18:29
  • 1
    Its safe, your not using *user* input :/ – Lawrence Cherone Jan 06 '18 at 18:32
  • Please view the edit @IncredibleHat – wemm Jan 06 '18 at 18:33
  • Prepared statement, no string concatenation, SQL injection is not possible. – NineBerry Jan 06 '18 at 18:33
  • But how can I test it, I need to demonstrate it to others @NineBerry – wemm Jan 06 '18 at 18:33
  • 1
    Im not suggesting *the tool to use*, just write 2 examples one without prepared queries and one with, you can test if its vulnerable simply by adding a quote to the parameter. – Lawrence Cherone Jan 06 '18 at 18:36
  • 1
    Possible duplicate of [How can prepared statements protect from SQL injection attacks?](https://stackoverflow.com/questions/8263371/how-can-prepared-statements-protect-from-sql-injection-attacks) – Martin Jan 06 '18 at 18:42

1 Answers1

1

(the below is too big for comments)

How can I test that the [prepared statement] prevents SQL injections using PHP and MySQL?

While I feel people will mark down this question because most will be thinking Prepared Statements are The Best Way. I think this is unfair on the question asker and it's always good not to assume something is safe just because that's the majority verdict.

While Prepared Statements ARE the best way so far, it's always good to query and to get your own proof, otherwise you're simply relying on second hand information from others.

Therefore for reference:

The last link is interesting as it underlines that Prepared Statements are not guaranteed 100% safe from Injection (but they are pretty damn close).

Martin
  • 19,815
  • 6
  • 53
  • 104