mysqli_stmt_bind_param SQL Injection
Posted
by profitphp
on Stack Overflow
See other posts from Stack Overflow
or by profitphp
Published on 2010-06-17T21:31:19Z
Indexed on
2010/06/17
21:33 UTC
Read the original article
Hit count: 275
Is there still an injection risk when using prepared statements and mysqli_stmt_bind_param?
For example:
$malicious_input = 'bob"; drop table users'; mysqli_stmt_bind_param($stmt, 's', $malicious_input);
Behind the scenes does mysqli_stmt_bind_param pass this query string to mysql:
SET @username = "bob"; drop table users";
Or does it perform the SET command through the API, or use some type of protection to keep this from happening?
© Stack Overflow or respective owner