Home/ Questions/Q 6735569
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-26T11:01:40+00:00

right now im using prepared statements, to select / insert data to mysql. Ok

  • 0

right now im using prepared statements, to select / insert data to mysql.
Ok my question i found out about Second Order Attacks.
So the user for example registers on my site.
And uses a as email or username something like this

"username '; DELETE Orders;--"

this gets inserts into the mysql table

So when i receive the data again via prepared statement, and insert / do something with it again in a prepared statement.

I would be safe cause i use prepared statements?

Sample:

Get Bad Data:

$sql = "SELECT * FROM USERS where USERID = 1";
...
$stmt->bind_result($username);
...

Next Query:
INSERT or do other things:
$SQL = "SELECT * FROM email WHERE USERNAME = ?";
....
$stmt->bind_param('s', $username);
...

After my thinking I would be safe, if i do it so? Or is there a possible leak?

But i would be attackable, if i would do so:

$sql = "SELECT * FROM email WHERE username = $username";
$stmt = $mysqli->prepare($sql);
$stmt->execute();

Thanks 🙂

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    As long as placeholders are consistently used (everywhere!) for all [variable] data, then all SQL-injection attacks* are thwarted, second-order or otherwise.

    This doesn’t mean that there aren’t vulnerabilities or other attack vectors — but it does mean someone with a “clever username” won’t be able to send an unexpected “DROP” to the database. As pointed out, if anywhere uses an “unsafe SQL statement” then, wham! guarantees are off.

    (The set of “unsafe SQL statements” includes, but is not limited to, any such statement which does not use placeholders for all [variable] data.)

    Happy coding.

    *This assumes there are no bugs/vulnerabilities in the placeholder support/database driver, of course. But that’s another story…

    • 0