0

This is the code:

$stmt = $db->prepare("SELECT DISTINCT * FROM kurssit WHERE BINARY id=? AND BINARY avain=?");
$stmt->bind_param("is", $kurssi, $avain);
// prepare and bind
$kurssi = $_POST["kurssi"];
$avain = $_POST["username"];
$stmt->execute();
$stmt->store_result();

if ($stmt->num_rows == 0) {
    echo json_encode(array('status' => 'error'));
} else {
    $_SESSION[KurssiId] = $kurssi;
    echo json_encode(array('status' => 'success'));
}

Why can I not sql inject this? I tried doing kurssi=0'or 1=1-- -, but it doesnt work for some reason? What am i missing here? Even sqlmap doesnt find an injection for some reason

kurssi=0'or 1=1-- - should return all rows, which means that the if statement is false

user285206
  • 1
  • 1
    Does this answer your question? [Are prepared statements 100% safe against SQL injection?](https://security.stackexchange.com/questions/15214/are-prepared-statements-100-safe-against-sql-injection). In short: by using a prepared statement with parameter binding you cleanly separate code (sql statement) and user supplied data (parameters). SQL injection is possible if user supplied data are interpreted as code, which due to this clean separation is no longer possible. – Steffen Ullrich Nov 07 '22 at 22:04

1 Answers1

4

Why can I not sql inject this?

Because you are using a prepared statement.

SQL injection cannot be used with prepared statements because the user input is not inserted to the statements until after they have been compiled. As such, user input is always treated as simple strings and there's no way that they can be interpreted as part of the statement and be executed.

For a detailed explanation you may take a look at this article.

Spyros
  • 1,451
  • 1
  • 14