Member Avatar for davy_yg

Hello,

I am trying to understand prepared statement and what it does.

https://www.owasp.org/index.php/SQL_Injection_Prevention_Cheat_Sheet#Defense_Option_1:_Prepared_Statements_.28Parameterized_Queries.29

"Prepared statements ensure that an attacker is not able to change the intent of a query, even if SQL commands are inserted by an attacker. In the safe example below, if an attacker were to enter the userID of tom' or '1'='1, the parameterized query would not be vulnerable and would instead look for a username which literally matched the entire string tom' or '1'='1. "

If an attacker input: userID of tom' or '1'='1

what will prepared statement detect as a userID?

userID: tom

Is that true? If all of them userID: tom' or '1'='1
then the SQLIA will be successful correct ?

  • 2 Contributors
  • 3 Replies
  • 461 Views
  • 1 Day Discussion Span
  • Latest Post Latest Post by rproffitt
Member Avatar for rproffitt

Q. what will prepared statement detect as a userID?

A. I don't see your code so I can't tell yet.

Tell more, but the article was clear enough for me. That is, it doesn't allow user input to a variable to be used in the SQL statements.

Member Avatar for davy_yg

Let say :

$stmt = $dbh->prepare("SELECT * FROM users WHERE userID = $id");
$stmt->bindParam(':id', $name);

If I input: userID: tom' or '1'='1

What will be detected as the userID ? What will the query be like?

This is taken from the article. I only add the prepared statement.

Edited by davy_yg
Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.