1

For example, i have this input:

Name: Wally

Email: wallycat@example.com'; DROP TABLE ClientTable; PRINT 'Too bad!'--

My parameterized query is:

$name = $_REQUEST['name'];

$email = $_REQUEST['email'];

$sql = "INSERT INTO ClientTable (Name, Email)

        VALUES ('$name', '$email')";

Even if I use this parameterized query, do I need to validate the user input? (in this case, the email field)

Or, is already safe since i'm using a parameterized query, and the query will simple store all this: 'wallycat@example.com'; DROP TABLE ClientTable; PRINT 'Too bad!'--' in the database?

Thank you!

Luís Sardinha
  • 43
  • 6
  • 9
    That's not a parametrized query...Not at all.http://27.media.tumblr.com/tumblr_lwru33NE821r803nno1_500.jpg – Damien Pirsy Feb 27 '12 at 16:18
  • 2
    you can see [here][1] [1]: http://stackoverflow.com/questions/60174/best-way-to-stop-sql-injection-in-php – Jayyrus Feb 27 '12 at 16:20
  • I would check user input no matter what, but maybe I'm just paranoid ... – A.B.Cade Feb 27 '12 at 16:20
  • possible duplicate of [How prepared statements can protect from SQL injection attacks?](http://stackoverflow.com/questions/8263371/how-prepared-statements-can-protect-from-sql-injection-attacks) – Your Common Sense Feb 27 '12 at 17:44

3 Answers3

2

you can use

$unsafe_variable = $_POST["user-input"];
$safe_variable = mysql_real_escape_string($unsafe_variable);

mysql_query("INSERT INTO table (column) VALUES ('" . $safe_variable . "')");
Jayyrus
  • 12,961
  • 41
  • 132
  • 214
1

You should do something more like this:

$sql = sprintf("INSERT INTO ClientTable (Name, Email) VALUES ('%s', '%s')", mysql_real_escape_string($name), mysql_real_escape_string($email));
Travesty3
  • 14,351
  • 6
  • 61
  • 98
  • Actually, I'm now liking the link posted by @JackTurky. I didn't know about that method. I just wrote a PHP wrapper class to do it my way, but I may change it around. – Travesty3 Feb 27 '12 at 16:24
  • I wrote a PHP wrapper class too but I see no reason to change it to anything – Your Common Sense Feb 28 '12 at 02:23
0

Parametrized queries take care of escaping. You still probably want to validate the data though. For example you probably want to make sure the that email is at least something like user@domain, that a phone number only consists of digits etc. This is more about data integrity than about security although there is some overlap.

However your not use a parametrized query in your example you just using variable substitution. A parametrized query would imply a Prepared Statement.

prodigitalson
  • 60,050
  • 10
  • 100
  • 114