I am working on a dynamic application and I am not sure if parameterized queries are safe from XSS, second order attacks? Can you help me? Thanks!
I have this code as an example:
$stmt = $mysqli->prepare("INSERT INTO tb (1, 2, 3, 4, 5, 6, 7) VALUES (?, ?, ?, ?, ?, ?, ?)");
$stmt->bind_param('sssssss', $1, $2, $3, $4, $5, $6, $7);
$stmt->execute();
$stmt->close();
Answer
Nope.
A parametrized query protects against SQL Injection; that is it ensures query parameters are well formed and correctly escaped prior to processing by the SQL back end.
XSS is a different class of problem whereby input should be sanitized of HTML markup; given that a correctly parametrized SQL value can still contain markup, you need additional encoding (E.g. htmlspecialchars()
).
No comments:
Post a Comment