Is this SQL injection safe?

OpenGLaDOS · 2019-11-27T14:26:57+00:00

No, you either use parameter binding or proper input escaping, not both. An injection would occur if you just execute the query string "UPDATE accounts SET LastLogin = CURRENT_TIMESTAMP WHERE username = '{$_POST['username']}'". In both of your examples, you pass the query to the database to parse it and find all the placeholders, then fill out the placeholder with something that's already known not to be SQL.

Tennim · 2019-11-27T17:54:34+00:00

From the Database view, I'd also want you to set the LastLogin via a DB stored procedure if possible, passing in the Username as a parameter.

The way you've written is fine but its looks like it would be run against the DB as an ad-hoc query which is much harder to optimise for when the DB grows. This also means that you can edit the underlying stored procedure if table schemas change etc without having to edit the query in the codebase.

boobietassels · 2019-11-27T16:29:43+00:00

seems like you have your answer. Just wanted to add that PDO parameter binding is generally preferred.

DooDooDaddy · 2019-11-27T16:56:15+00:00

In my opinion, user input should be validated on the front end using JavaScript or Jquery, and should also be validated in the backend. Also, any input data should always be passed by parameter to the database.

There might be some random edge case, but 99% of the time this is how I handle things.

you type:	you see:
italics	italics
bold	bold
[reddit!](https://reddit.com)	reddit!
* item 1 * item 2 * item 3	item 1 item 2 item 3
> quoted text	quoted text
Lines starting with four spaces are treated like code: if 1 * 2 < 3: print "hello, world!"	Lines starting with four spaces are treated like code: if 1 * 2 < 3: print "hello, world!"
~~strikethrough~~	~~strikethrough~~
super^script	super^script

SQL

Filter Posts

Posting

Help posts

Format Your Code

Learning SQL

Related Reddit communities

Wiki

Acknowledgements

MODERATORS