1
\$\begingroup\$

i want to know can this be hacked/injected?

$stmt = $mysqli->prepare("SELECT * FROM myTable WHERE name = ?");
$stmt->bind_param("s", $_POST['name']);
$stmt->execute();
$result = $stmt->get_result();
if($result->num_rows === 0) exit('No rows');
while($row = $result->fetch_assoc()) {
 //do some stuff
}
var_export($ages);
$stmt->close();
asked Apr 26, 2019 at 12:09
\$\endgroup\$
0

1 Answer 1

3
\$\begingroup\$

Given an answer on Stack Overflow suggests almost identical code for protection, let alone using exactly the same principle you can safely assume that your query is protected.

If you want to know how it works, I also wrote an answer on Stack Overflow, https://stackoverflow.com/a/8265319/285587

Nevertheless, as this site is for the code reviews offering some suggestions, I would suggest to use PDO for database interactions instead of mysqli. Simply because PDO API is much more versatile and easier to use. see your snippet rewritten in PDO: 

$stmt = $mysqli->prepare("SELECT * FROM myTable WHERE name = ?");
$stmt->execute([$_POST['name']]);
if($stmt->rowCount() === 0) exit('No rows');
while($row = $stmt->fetch_assoc()) {
 //do some stuff
}

as you can see some nagging operations are just gone. I wrote a tutorial on PDO, which I would quite expectedly recommend.

answered Apr 26, 2019 at 12:36
\$\endgroup\$
0

Your Answer

Draft saved
Draft discarded

Sign up or log in

Sign up using Google
Sign up using Email and Password

Post as a guest

Required, but never shown

Post as a guest

Required, but never shown

By clicking "Post Your Answer", you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.