Mysqli - Are parameterized queries enough for preventing XSS second order attacks?

Question

I am working on a dynamic application and I am not sure if parameterized queries are safe from XSS, second order attacks? Can you help me? Thanks!

I have this code as an example:

  $stmt = $mysqli->prepare("INSERT INTO tb (1, 2, 3, 4, 5, 6, 7) VALUES (?, ?, ?, ?, ?, ?, ?)");

    $stmt->bind_param('sssssss', $1, $2, $3, $4, $5, $6, $7);
    $stmt->execute();
    $stmt->close();

score 1 · Accepted Answer · answered Sep 18 '14 at 15:09

1

Nope.

A parametrized query protects against SQL Injection; that is it ensures query parameters are well formed and correctly escaped prior to processing by the SQL back end.

XSS is a different class of problem whereby input should be sanitized of HTML markup; given that a correctly parametrized SQL value can still contain markup, you need additional encoding (E.g. htmlspecialchars()).

answered Sep 18 '14 at 15:09

Alex K.

171,639
30
264
288

Thanks Alex! The htmlspecialchars() is enough then? – Victor Sep 18 '14 at 15:15
... *probably*, take a look at [How to prevent XSS with HTML/PHP?](http://stackoverflow.com/questions/1996122/how-to-prevent-xss-with-html-php) – Alex K. Sep 18 '14 at 15:16
XSS and second order attacks are the same thing? – Victor Sep 18 '14 at 15:23
2nd order is a type of XSS attack (the type that applies to the storage of compromised data) – Alex K. Sep 18 '14 at 15:25

score 1 · Answer 2 · answered Sep 20 '14 at 13:41

Definitely not.

Please don't implement XSS user sanitisation yourself.

Please do use a separate library specifically for this. You're never going to be able to do it catch all the corner cases.

Here is a short-list of some of the corner cases you need to combat against.

Mysqli - Are parameterized queries enough for preventing XSS second order attacks?

2 Answers2