2

I've been reading up on SQL injections and I couldn't find an answer to this question.

I understand if I a query like this

prepare("SELECT id, foo, bar FROM table WHERE username = ?");

Then I should use bind_param('s', $username) to avoid SQL injection possibilities.

But what if I running my query on something that is not user-inputted but something like an auto-generated ID. Example:

prepare("SELECT username, foo, bar from table where id = ?");

Where id is self-generated (auto-incremented value). Do I have to make use of bind_param('i', $id) here too or can I just prepare the query as:

prepare("SELECT username, foo, bar from table where id = '$id'");

If bind_param(); is needed, why?

Thanks!

Muhammad Ali
  • 668
  • 1
  • 9
  • 24
  • Today it’s generated, tomorrow it’s user-provided. If you strictly pass all data only via parameters, you don’t have to worry about whether the value may be influenced by the user or not. – Gumbo Jul 06 '15 at 16:41

2 Answers2

1

Technically you're not at risk if you don't prepare data that's not coming from user input. However, it's strongly advised to do so for a couple of reasons:

  1. If you forget to prepare any user input data somewhere, there's a chance this user injected something miscellaneous into a data row that you didn't expect to ever be user input.
  2. It's a good practice to repeat what you're doing to keep your server secure. If you start mixing it up, you're much more likely to forget preparing data where it's actually needed to do so.
  3. Preparing your data is not just to prevent SQL injection from attackers. It'll also prevent some database issues in case you accidently create a bug in your code. For example:

Somewhere in your code you have a log system that adds an errorlog to your database. The string would be:

Error: User "xxx" with IP "x.x.x.x" used a wrong password.


This string is generated by your script. Therefor you don't prepare it. Yet the quotes inside this string will cause errors with your database that could've been prevented if you prepared it anyway.

icecub
  • 8,615
  • 6
  • 41
  • 70
-2

If you are not running your query on user-inputed values, then use the query() method instead. Don't use bindParams() and execute() since you are not working with prepare().

query(SELECT username, foo, bar from table where id = '$id'");
oreofeolurin
  • 636
  • 3
  • 16