0

I just saw this following usage of sql prepare statement and was wondering if this would actually prevent sql injection to occur.

$sql= "Select * from mytable where id =" . $id;
$stmt = $con->prepare($sql);
$stmt->execute();

By not using the parameterized variables for $id to provide the value later and avoid appending the value directly, I was wondering if this provides enough protection against sql injection?

Thanks.

pal4life
  • 3,210
  • 5
  • 36
  • 57
  • 1
    No, it doesn't. You're not binding anything. – FirstOne Dec 18 '17 at 17:26
  • It depends on where `$id` comes from. *Never, ever trust user input.* – Jay Blanchard Dec 18 '17 at 17:27
  • 2
    _Never trust any input._* – FirstOne Dec 18 '17 at 17:28
  • They're called injection bugs because variables get injected into the query without escaping. Here you're doing precisely that with `$id`. The reason placeholder values exist is to separate the query from the data associated with it, no values are ever injected ideally. – tadman Dec 18 '17 at 18:13

0 Answers0