Austin Austin - 1 year ago 55
MySQL Question

Would this source of code be "Safe" from SQL injections?

Would the following source of code be safe from SQL injections? If not, would you please provide a way to make it more secure?

Please note: Database credentials were hidden for security while making this post.

PHP Version: 7.0

$handler = new PDO('mysql:host=localhost;dbname=hidden', 'hidden', 'hidden');
//**$handler->setAttribute(PDO::ATTR_EMULATE_PREPARES, false);
}catch(PDOException $e){
echo $e->getMessage();

$myID = 8869935;
$query = $handler->prepare('SELECT * FROM Calls WHERE UserID=:cid');
$query->bindParam(':cid', $myID);

while($row = $query->fetch()){
echo $row['CallerID'], '<br>';


Answer Source

There's an easy way to tell if this is safe from SQL injection vulnerabilities:

The query string has no PHP variables concatenated with it:

$handler->prepare('SELECT * FROM Calls WHERE UserID=:cid');

This is just a string, with no PHP variables or PHP constants. It's a fixed string, and nothing is modifying it before it is given to the prepare() function. This is enough to guarantee it's safe from SQL injection.

There's no way the bind variables for the query parameter can introduce SQL injection. The query is parsed by the RDBMS before bind variables are combined. There is no way an SQL injection can modify the query after the query is parsed.

Recommended from our users: Dynamic Network Monitoring from WhatsUp Gold from IPSwitch. Free Download