mysqli_stmt_bind_param SQL Injection

Posted by profitphp on Stack Overflow See other posts from Stack Overflow or by profitphp
Published on 2010-06-17T21:31:19Z Indexed on 2010/06/17 21:33 UTC
Read the original article Hit count: 275

Filed under:
|
|

Is there still an injection risk when using prepared statements and mysqli_stmt_bind_param?

For example:

$malicious_input = 'bob"; drop table users'; mysqli_stmt_bind_param($stmt, 's', $malicious_input);

Behind the scenes does mysqli_stmt_bind_param pass this query string to mysql:

SET @username = "bob"; drop table users";

Or does it perform the SET command through the API, or use some type of protection to keep this from happening?

© Stack Overflow or respective owner

Related posts about php

Related posts about mysqli