0
\$\begingroup\$

I was wondering if I could please get some justification if the PHP code I wrote using Mysqli prepared statements would be able to withstand SQL injection attacks.

I have one field that gets a value from a form. Code works 100% fine, just want to make sure it is secure against SQL injection.

$steaminput = filter_input(INPUT_POST, 'steamid_user', FILTER_SANITIZE_STRING);
$conn = mysqli_connect(host, user, pass, table);
$sql = "SELECT username, activated, expiration_date FROM donors WHERE steam_id=?";

$stmt = mysqli_prepare($conn, $sql);

mysqli_stmt_bind_param($stmt, "s", $steaminput);

mysqli_stmt_execute($stmt);

mysqli_stmt_bind_result($stmt, $username_res, $activated_res, $expiration_res);



  while(mysqli_stmt_fetch($stmt)){
    $data = array('username'=>$username_res, 'activated'=>$activated_res, 'expiration_date'=>$expiration_res);
  }


mysqli_stmt_close($stmt);
mysqli_close($conn);
//I use array information from retreival here
\$\endgroup\$

1 Answer 1

Reset to default
1
\$\begingroup\$

The final parameter here is misnamed:

$conn = mysqli_connect(host, user, pass, table);

It denotes name of MySQL database (e.g. "test") rather than name of a table (e.g. "test.donors" or "donors.donors").

The _res suffix is superfluous and may be safely elided:

mysqli_stmt_bind_result($stmt, $username_res, $activated_res, $expiration_res);

want to make sure it is secure against SQL injection.

Yes, you are using the API as recommended, in secure fashion.

\$\endgroup\$
2
  • \$\begingroup\$ I agree with this answer. It's a simple bit of code, not much can go wrong. \$\endgroup\$ Commented Sep 2, 2017 at 23:14
  • \$\begingroup\$ The $con was just an example. Thanks for the response and the reassurance I did things correctly \$\endgroup\$ Commented Sep 3, 2017 at 3:02

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.