I am trying to understand prepared statement and what it does.


"Prepared statements ensure that an attacker is not able to change the intent of a query, even if SQL commands are inserted by an attacker. In the safe example below, if an attacker were to enter the userID of tom' or '1'='1, the parameterized query would not be vulnerable and would instead look for a username which literally matched the entire string tom' or '1'='1. "

If an attacker input: userID of tom' or '1'='1

what will prepared statement detect as a userID?

userID: tom

Is that true? If all of them userID: tom' or '1'='1
then the SQLIA will be successful correct ?

1 Month
Discussion Span
Last Post by rproffitt

Q. what will prepared statement detect as a userID?

A. I don't see your code so I can't tell yet.

Tell more, but the article was clear enough for me. That is, it doesn't allow user input to a variable to be used in the SQL statements.


Let say :

$stmt = $dbh->prepare("SELECT * FROM users WHERE userID = $id");
$stmt->bindParam(':id', $name);

If I input: userID: tom' or '1'='1

What will be detected as the userID ? What will the query be like?

This is taken from the article. I only add the prepared statement.

Edited by davy_yg

Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.