Site got SQLi injected while using bind_param

Question

Today I discovered my site got hacked through SQLi injection. Even though I am using bind_param I thought this was impossible.

if($_GET['api'] == 'info')
  {
  $status = 'Test';
  $stmt = $mysqli->prepare("INSERT INTO information(one, two, status) VALUES (?,?,?)");
  $stmt->bind_param('sss', $_GET['1'], $_POST['2'], $status);
  $stmt->execute();
  $stmt->close();
  }

What am I doing wrong?

missing one `s` at `$stmt->bind_param('ss',` – Saty Jun 18 '16 at 10:15 — Saty, Jun 18 '16 at 10:15

score 1 · Answer 1 · answered Jun 18 '16 at 10:21

Well your statements are mutually exclusive. Either you know for sure that it was SQL injection - and in this case you know which it was; or you have no evidence that it was SQL injection and not something else.

Speaking of the given code snippet - no, it's impossible to inject through this code.

So, either it was SQL injection, in some place where you weren't using bind_param, or it was some other kind of attack.

Site got SQLi injected while using bind_param

1 Answers1