Issue
In PHP, I've found a few methods to prevent Sql Injection. Binding parameters is one of them. But I'm unable to find a complete explanation of how binding parameters actually prevent Sql Injection. I was of the notion that binding parameters simply save time in binding different data to the same Sql statement. How does prevention of Sql injection come into picture?
Solution
I think a simple example will explain you the thing:
"select * from myTable where name = " + condition;
imagine that user input as a condition is
'123'; delete from myTable; commit;
what happens then? the query executed will be
select * from myTable where name = '123'; delete from myTable; commit;
or actually we have three queries with disastrous consequences:
select * from myTable where name = '123';
delete from myTable;
commit;
in case of bind variables
"select * from myTable where name = @prmName"
whatever user input is it'll be one and only one query and the weird input above will always be treated as a string, not as a part of query. The outcome will be (most probably) an empty cursor, since there're no names within myTable like
"'123'; delete from myTable; commit;"
Answered By - Dmitry Bychenko Answer Checked By - Robin (PHPFixing Admin)
Posts
0 Comments:
Post a Comment
Note: Only a member of this blog may post a comment.