Styjun

What is the minimum required technology to reanimate someone who has been cryogenically frozen?

How does weapons training transfer to empty hand?

Why does the electron wavefunction not collapse within atoms at room temperature in gas, liquids or solids due to decoherence?

Are double contractions formal? Eg: "couldn't've" for "could not have"

What's an appropriate age to involve kids in life changing decisions?

What is the Ancient One's mistake?

Narcissistic cube asks who are we?

Names of the Six Tastes

What can cause an unfrozen indoor copper drain pipe to crack?

How come mathematicians published in Annals of Eugenics?

Lorentz invariance of Maxwell's equations in matter

Why are thrust reversers not used to slow down to taxi speeds?

Does Thread.yield() do anything if we have enough processors to service all threads?

Thawing Glaciers return to hand interaction

How is it possible for this circuit to continue functioning correctly?

How long can fsck take on a 30 TB volume?

How can I test a shell script in a "safe environment" to avoid harm to my computer?

What are these round pads on the bottom of a PCB?

Row vectors and column vectors (Mathematica vs Matlab)

Is every story set in the future "science fiction"?

Best species to breed to intelligence

What is the radius of the circle in this problem?

Can the president of the United States be guilty of insider trading?

What dice to use in a game that revolves around triangles?

Code isn't passing a security check, how do I make my parameter binding better?

How can prepared statements protect from SQL injection attacks?How do you pass a function as a parameter in C?Are PDO prepared statements sufficient to prevent SQL injection?How can I pass a parameter to a setTimeout() callback?PDO MySQL: Use PDO::ATTR_EMULATE_PREPARES or not?Connection in mysqlUsing prepared statements? I don't understand it at allPassing an Array as Arguments in phpWhy Isn't my prepared statement working?Matching prepared SQL statement parameters with bind_param variablesmysqli bind_param Number of variables doesn't match number of parameters in prepared statement

.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty height:90px;width:728px;box-sizing:border-box;

0

My code has to pass a security check but it didn't because of a sql injection risk. They have requested that I use parameters which I thought I already used, so now I wonder how to make my code better?

$imgId = $_POST["imgId"];
$stmt = $link->prepare("SELECT * FROM my_table WHERE image_id = ?");
$stmt->bind_param("s", $imgId);
$stmt->execute();
$result = $stmt->get_result();
$stmt->close();

This is one of my sql statements, each and every one is structured like this one.

So my question is first of all is my code susceptible to sql injections and secondly how do I make it more secure?

php sql security mysqli parameters

share|improve this question

asked Mar 23 at 8:46

tillinips12tillinips12

527

• 
  
  
  

  
  2
  

  
  
  
  
  
  

  
  
  Regarding SQL injections, your code is safe. A couple of things though. I'm guessing that $imgId is an integer, so you should bind it as such, change s to i. Then I would check if the parameter $_POST['imgId'] is set before trying to use it, but that's not really a security issue. Who said that the above wasn't safe?
  
  – Magnus Eriksson
  Mar 23 at 8:50
  
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  I unfortunately can't say which corporation but it's a huge international one that requires this kind of security check and they said it was a risk and that's why I posted the question here because I was so confused by that assessment. And image id actually is a string. Thank you for your answer :)
  
  – tillinips12
  Mar 23 at 9:00
  

  
  
  
  


• 
  
  
  

  
  1
  

  
  
  
  
  
  

  
  
  Then just get back to them and say that you're already using it and ask what's insecure about the way you've done it.
  
  – Magnus Eriksson
  Mar 23 at 9:06
  
  

  
  
  
  


• 
  
  
  

  
  2
  

  
  
  
  
  
  

  
  
  Were you provided the criteria/requirements against which your code would be evaluated ? If yes , your answer is in there. If not , find another customer/employer.
  
  – YvesLeBorg
  Mar 23 at 9:31
  

  
  
  
  

add a comment | 

0

My code has to pass a security check but it didn't because of a sql injection risk. They have requested that I use parameters which I thought I already used, so now I wonder how to make my code better?

$imgId = $_POST["imgId"];
$stmt = $link->prepare("SELECT * FROM my_table WHERE image_id = ?");
$stmt->bind_param("s", $imgId);
$stmt->execute();
$result = $stmt->get_result();
$stmt->close();

This is one of my sql statements, each and every one is structured like this one.

So my question is first of all is my code susceptible to sql injections and secondly how do I make it more secure?

php sql security mysqli parameters

share|improve this question

asked Mar 23 at 8:46

tillinips12tillinips12

527

• 
  
  
  

  
  2
  

  
  
  
  
  
  

  
  
  Regarding SQL injections, your code is safe. A couple of things though. I'm guessing that $imgId is an integer, so you should bind it as such, change s to i. Then I would check if the parameter $_POST['imgId'] is set before trying to use it, but that's not really a security issue. Who said that the above wasn't safe?
  
  – Magnus Eriksson
  Mar 23 at 8:50
  
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  I unfortunately can't say which corporation but it's a huge international one that requires this kind of security check and they said it was a risk and that's why I posted the question here because I was so confused by that assessment. And image id actually is a string. Thank you for your answer :)
  
  – tillinips12
  Mar 23 at 9:00
  

  
  
  
  


• 
  
  
  

  
  1
  

  
  
  
  
  
  

  
  
  Then just get back to them and say that you're already using it and ask what's insecure about the way you've done it.
  
  – Magnus Eriksson
  Mar 23 at 9:06
  
  

  
  
  
  


• 
  
  
  

  
  2
  

  
  
  
  
  
  

  
  
  Were you provided the criteria/requirements against which your code would be evaluated ? If yes , your answer is in there. If not , find another customer/employer.
  
  – YvesLeBorg
  Mar 23 at 9:31
  

  
  
  
  

add a comment | 

My code has to pass a security check but it didn't because of a sql injection risk. They have requested that I use parameters which I thought I already used, so now I wonder how to make my code better?

$imgId = $_POST["imgId"];
$stmt = $link->prepare("SELECT * FROM my_table WHERE image_id = ?");
$stmt->bind_param("s", $imgId);
$stmt->execute();
$result = $stmt->get_result();
$stmt->close();

This is one of my sql statements, each and every one is structured like this one.

So my question is first of all is my code susceptible to sql injections and secondly how do I make it more secure?

php sql security mysqli parameters

share|improve this question

asked Mar 23 at 8:46

tillinips12tillinips12

527

$imgId = $_POST["imgId"];
$stmt = $link->prepare("SELECT * FROM my_table WHERE image_id = ?");
$stmt->bind_param("s", $imgId);
$stmt->execute();
$result = $stmt->get_result();
$stmt->close();

share|improve this question

asked Mar 23 at 8:46

tillinips12tillinips12

527

share|improve this question

asked Mar 23 at 8:46

tillinips12tillinips12

527

asked Mar 23 at 8:46

tillinips12tillinips12

527

asked Mar 23 at 8:46

tillinips12tillinips12

527

1 Answer
1

active

oldest

votes

0

maybe you should try regular expressions on your IDimg if u know what the expected input to be, and pregmatch it

share|improve this answer

answered Mar 23 at 9:07

Toni SfeirToni Sfeir

124

• 
  
  
  

  
  2
  

  
  
  
  
  
  

  
  
  That's just validation and won't change anything regardnng security or SQL injections. Since the OP is using parameterized prepared statements, all that would happen if someone passed in an invalid id would be that the query wouldn't return any results.
  
  – Magnus Eriksson
  Mar 23 at 9:08
  
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  a good guess, but just a WAG until OP discloses the code evaluation criteria.
  
  – YvesLeBorg
  Mar 23 at 10:18
  

  
  
  
  

add a comment | 

Your Answer

StackExchange.ifUsing("editor", function ()
StackExchange.using("externalEditor", function ()
StackExchange.using("snippets", function ()
StackExchange.snippets.init();
);
);
, "code-snippets");

StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "1"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);

else
createEditor();

);

function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);



);

draft saved

draft discarded

Sign up or log in

StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);

Sign up using Google

Sign up using Facebook

Sign up using Email and Password

Post as a guest

Name

Email

Required, but never shown

StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f55312084%2fcode-isnt-passing-a-security-check-how-do-i-make-my-parameter-binding-better%23new-answer', 'question_page');

);

Post as a guest

Name

Email

Required, but never shown

0

maybe you should try regular expressions on your IDimg if u know what the expected input to be, and pregmatch it

share|improve this answer

answered Mar 23 at 9:07

Toni SfeirToni Sfeir

124

• 
  
  
  

  
  2
  

  
  
  
  
  
  

  
  
  That's just validation and won't change anything regardnng security or SQL injections. Since the OP is using parameterized prepared statements, all that would happen if someone passed in an invalid id would be that the query wouldn't return any results.
  
  – Magnus Eriksson
  Mar 23 at 9:08
  
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  a good guess, but just a WAG until OP discloses the code evaluation criteria.
  
  – YvesLeBorg
  Mar 23 at 10:18
  

  
  
  
  

add a comment | 

0

maybe you should try regular expressions on your IDimg if u know what the expected input to be, and pregmatch it

share|improve this answer

answered Mar 23 at 9:07

Toni SfeirToni Sfeir

124

• 
  
  
  

  
  2
  

  
  
  
  
  
  

  
  
  That's just validation and won't change anything regardnng security or SQL injections. Since the OP is using parameterized prepared statements, all that would happen if someone passed in an invalid id would be that the query wouldn't return any results.
  
  – Magnus Eriksson
  Mar 23 at 9:08
  
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  a good guess, but just a WAG until OP discloses the code evaluation criteria.
  
  – YvesLeBorg
  Mar 23 at 10:18
  

  
  
  
  

add a comment | 

maybe you should try regular expressions on your IDimg if u know what the expected input to be, and pregmatch it

share|improve this answer

answered Mar 23 at 9:07

Toni SfeirToni Sfeir

124

share|improve this answer

answered Mar 23 at 9:07

Toni SfeirToni Sfeir

124

answered Mar 23 at 9:07

Toni SfeirToni Sfeir

124

answered Mar 23 at 9:07

Toni SfeirToni Sfeir

124