Given this MySQL stored procedure: CREATE PROCEDURE customer.`getCustomers5`( sdf varchar(1000) ) BEGIN set @se

Question

0

Asked: May 29, 20262026-05-29T20:37:15+00:00 2026-05-29T20:37:15+00:00

Given this MySQL stored procedure: CREATE PROCEDURE customer.`getCustomers5`( sdf varchar(1000) ) BEGIN set @se

0

Given this MySQL stored procedure:

CREATE PROCEDURE customer.`getCustomers5`(
sdf varchar(1000)
)
BEGIN

set @se  = concat('select * from customer.customertbl where id=', sdf);


PREPARE stm1 from @se;

EXECUTE  stm1;

END;

Is it possible to do SQL injection into this store procedure even if the front end that called this stored procedure uses PDO parameter/data binding?

I need to build a query dynamically (dynamic where clause) before calling it.

if it’s possible to do SQL injection, is there any method to counter this problem?

Report

Leave an answer
Cancel reply

You must login to add an answer.

Need An Account,

1 Answer

Editorial Team · Answer 1 · 2026-05-29T20:37:16+00:00

Editorial Team

2026-05-29T20:37:16+00:00Added an answer on May 29, 2026 at 8:37 pm

If your parameter is varchar and you send a string, then yes, it is possible because even if you use PDO, it would still be a ANY string.

You should define sdf as your id type (is it integer? if not, make it integer!) and then the PDO parameter will be escaped and avoid SQL Injection.

A good practice is to avoid creating dynamic queries in a Stored Procedure and build the query in your application.

0

Reply
Share
Share

- Report

Sign Up

Sign In

Forgot Password

The Archive Base Latest Questions

Given this MySQL stored procedure: CREATE PROCEDURE customer.`getCustomers5`( sdf varchar(1000) ) BEGIN set @se

Leave an answerCancel reply

1 Answer

Leave an answer
Cancel reply