-2

I am coding a social debating application, and I am worried about the security of prepared statements. Why does it bother me so much? Because social networks take massive amounts of user data and some may be malicious.

I just want to know if MySQLi's prepared statements feature enough to protect from the most common types of SQL injection. This has probably been asked before somewhere on the web, but, with the massive amount of outdated information in the net, it is very hard to know if there's been anything found about it.

I've heard various exploits on PDO, for example, yet some sites say there's no exploits. That's where confusion comes in. I understand that many exploits are found each day. But at least to protect from the most popular exploits.

And, if there are any additional methods of protecting SQL queries, please point them out in your answer.

halfer
  • 19,824
  • 17
  • 99
  • 186
Sergio E. Diaz
  • 396
  • 3
  • 15
  • I would answer "Yes" to your question. Using prepared statements saves you from SQL-injections caused by user inputs, but securing your database takes more than that i think. See this link may help you and i can say the contents of this link is pretty much uptodate . http://stackoverflow.com/questions/134099/are-pdo-prepared-statements-sufficient-to-prevent-sql-injection – Mubo Jun 28 '14 at 23:26
  • Put that as an answer and I'll mark it – Sergio E. Diaz Jun 28 '14 at 23:43

1 Answers1

2

Prepared statements are a good way to prevent MySQL injection. But what about XSS attacks? Those queries do not prevent users from submitting HTML or JavaScript code. If you don't take additional steps, they will simply alter your HTML code (if you output raw database results) and injected links to unwanted sites.

About Prepared Statements:

Prepared statements prevent any input from leaving its scope as a variable. That said every "ending quote" or such would be escaped and made harmless.

SQL injection is nearly impossible. But ... who said, that the native prepared statement is enough? if you trust your native prepare methods. OK. If not, try to break it yourself. Write test cases to proof, that most basic and maybe some more complex cases can not break your prepare statement methods.

halfer
  • 19,824
  • 17
  • 99
  • 186
Benjamin Eckstein
  • 884
  • 2
  • 9
  • 19
  • I take steps against those. – Sergio E. Diaz Jun 28 '14 at 23:04
  • @Sergio: your question is rather too broad, but if you are interested in what security issues you should be considering, XSS should be near the top of your list. – halfer Jun 28 '14 at 23:55
  • Maybe think about including OWASP to inform the OP of the risks currently out there and the best way to prevent them :) – Callum Linington Jun 28 '14 at 23:58
  • Guys, just because I have 1 rep does not mean I am a total PHP and sec noob. I know about those attack types. – Sergio E. Diaz Jun 29 '14 at 00:00
  • @Sergio: people are giving you extra detail because you asked for them, not because you are a beginner. – halfer Jun 29 '14 at 10:28
  • The way he wrote about it was wrong. – Sergio E. Diaz Jun 29 '14 at 14:23
  • @Sergio, why not explain why it was wrong? If you wish to give Umingo feedback, please make it constructive and helpful (note that your note about it being 'off topic' has been deleted by a moderator). In the meantime, when addressing individuals here, please use their at-handle, so they are notified that you are communicating with them. – halfer Jun 29 '14 at 22:57