0

I am making a login system which needs to check the validity of a user. Basically, it takes three steps.

  1. Get $username from user input

  2. Check whether $username exists in the database

    SELECT * FROM members WHERE name = $username LIMIT 1
    
  3. Update login information for $username (e.g. login time, IP, ...)

    UPDATE members SET ip = $ip WHERE name = $username
    

In the second step, assume I have used prepared-statement to query the (MySQL) database, in order to avoid SQL injection. I wonder there is still a need to use prepared-statement in the third step.

My logic is that $username has passed the second step, so it should be a valid argument. To save extra server round trip due to the use of prepared-statement, it seems that there is no need to update the database using prepared-statement in the third step.

I am very new to using database. Hope someone could clarify my problem. :)

CY Wong
  • 135
  • 1
  • 4

3 Answers3

3

no! always use prepared statements. you can pass 10 validations but delete your database in the 11th

Dima
  • 8,586
  • 4
  • 28
  • 57
  • It doesn't exactly work that way. You don't **always** need to use prepared statements, and prepared statements are not a silver bullets. They are a tool you need to know how to use properly. That's all. – Madara's Ghost Feb 22 '14 at 12:36
  • when you are getting a parameter from outside of your code, you should always use prepared statements – Dima Feb 22 '14 at 13:28
  • That's true. Actually, whenever you are getting a parameter, even from inside your code, you should be using prepared statements. But not all queries are suitable for prepared statements. – Madara's Ghost Feb 22 '14 at 13:29
0

If the username has a special character in it, it will affect your second query. This is referred to as a second order SQL injection.

Wayne Whitty
  • 19,513
  • 7
  • 44
  • 66
0

If $username is something evil in the first line, it will be in the second line.

Unless you overwrite it with a value read from the database.

Str.
  • 1,389
  • 9
  • 14
  • I am confusing about how an evil $username can return me something for the "SELECT" statement? – CY Wong Feb 22 '14 at 11:51
  • It can do with your data what you can do, maybe drop some tables. The keyword to search for is **SQL injection**. – Str. Feb 25 '14 at 20:14