0

My code has to pass a security check but it didn't because of a sql injection risk. They have requested that I use parameters which I thought I already used, so now I wonder how to make my code better?

$imgId = $_POST["imgId"];
$stmt = $link->prepare("SELECT * FROM my_table WHERE image_id = ?");
$stmt->bind_param("s", $imgId);
$stmt->execute();
$result = $stmt->get_result();
$stmt->close();

This is one of my sql statements, each and every one is structured like this one.

So my question is first of all is my code susceptible to sql injections and secondly how do I make it more secure?

ReynaMoon
  • 171
  • 1
  • 12
  • 2
    Regarding SQL injections, your code is safe. A couple of things though. I'm guessing that `$imgId` is an integer, so you should bind it as such, change `s` to `i`. Then I would check if the parameter `$_POST['imgId']` is set before trying to use it, but that's not really a security issue. Who said that the above wasn't safe? – M. Eriksson Mar 23 '19 at 08:50
  • I unfortunately can't say which corporation but it's a huge international one that requires this kind of security check and they said it was a risk and that's why I posted the question here because I was so confused by that assessment. And image id actually is a string. Thank you for your answer :) – ReynaMoon Mar 23 '19 at 09:00
  • 1
    Then just get back to them and say that you're already using it and ask what's insecure about the way you've done it. – M. Eriksson Mar 23 '19 at 09:06
  • 2
    Were you provided the criteria/requirements against which your code would be evaluated ? If yes , your answer is in there. If not , find another customer/employer. – YvesLeBorg Mar 23 '19 at 09:31

1 Answers1

0

maybe you should try regular expressions on your IDimg if u know what the expected input to be, and pregmatch it

Toni Sfeir
  • 17
  • 5
  • 2
    That's just validation and won't change anything regardnng security or SQL injections. Since the OP is using parameterized prepared statements, all that would happen if someone passed in an invalid id would be that the query wouldn't return any results. – M. Eriksson Mar 23 '19 at 09:08
  • a good guess, but just a WAG until OP discloses the code evaluation criteria. – YvesLeBorg Mar 23 '19 at 10:18