i wish to know if i need protection against sql injection only in the case of the inserts i write, or if it is needed to use prepared statements for all the queries. How do i test it with sqlmap? (localhost)
Asked
Active
Viewed 448 times
1 Answers
0
Use Prepared statements below is an example
$name = $_GET['username'];
if ($stmt = $mysqli->prepare("SELECT password FROM tbl_users WHERE name=?")) {
// Bind a variable to the parameter as a string.
$stmt->bind_param("s", $name);
// Execute the statement.
$stmt->execute();
// Get the variables from the query.
$stmt->bind_result($pass);
// Fetch the data.
$stmt->fetch();
// Display the data.
printf("Password for user %s is %s\n", $name, $pass);
// Close the prepared statement.
$stmt->close();
}
Rajat Jaiswal
- 645
- 4
- 15
-
1Refer :https://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php – Rajat Jaiswal Jun 17 '17 at 18:40
-
i know how to use prepared statements...i don t know if i have to do it for all querries – Cosmin Istudor Jun 17 '17 at 19:18
-
If you restrict the user at the time of login then that is well enough. – Rajat Jaiswal Jun 18 '17 at 05:08