1

I am trying to prevent sql injection and according to what I've been searching, the use of parameterized queries can help. Below is my PHP code on displaying the books saved in the database basing on its status which is an integer (0 for unavailable and 1 for available):

public function getBooksByStatus(){
        $qry=$this->stmt_init();
        if($qry->prepare("SELECT bookID, title, status FROM books WHERE status= ? ORDER By title ASC")){
            $qry->bind_param("i",$_GET[id]);   //$_GET[id] refers to the status
            $qry->execute();
            echo json_encode($qry->fetch_all(MYSQL_ASSOC));
            return;
    }
}

After testing the code, it doesn't have any error but it doesn't return anything.

This was my code before without parameterizing queries and actually, it works:

$qry = $this->query("SELECT bookID, title, status FROM books WHERE status= $_GET[id] ORDER By title ASC");
        echo json_encode($qry->fetch_all(MYSQL_ASSOC));
        return;

Can anyone help me, please?

Improve this question
5
  • 1
    What's behind $this->stmt_init? Or what class are you in ? Commented Jul 10, 2014 at 7:25
  • What are you trying to return with return; statement? Commented Jul 10, 2014 at 7:33
  • print_r( $qry->errorInfo() ) and paste the result, please. Commented Jul 10, 2014 at 8:05
  • It's the class where all functions used in the program are defined, including the function to connect to the database. Commented Jul 10, 2014 at 8:31
  • The return; means it will go back to where it was called, but it doesn't retrieve any rows from the database. I think the $qry->fetch_all(MYSQL_ASSOC) is the problem? I'm not sure.. Commented Jul 10, 2014 at 8:39

1 Answer 1

Reset to default
0

I'm not sure how sensitive PHP is for things like this. However:

$qry->bind_param("i",$_GET[id]);

First off all I would use $_GET['id'] just to be pure. More importantly I would cast $_GET['id'] to integer since you use "i" which according to https://www.php.net/manual/pl/mysqli-stmt.bind-param.phpdocumentation means integer.

$_GET array always contains strings.

Last thing which makes me suprised is:

$qry=$this->stmt_init();

Why you use $this instead of some var name which contains new mysqli object. I guess it can have some logical explanation. Your class extends mysqli? or something? It seems like bad practice to me. However it shouldn't have impact to result.

My tip try cast $_GET['id'] to integer

That's all what I get. Hope this will help you.

Improve this answer
Sign up to request clarification or add additional context in comments.

2 Comments

The value will be cast to an integer by the fact that he's binding it as 'i'. It's not necessary to additionally manually cast it.
I tried replacing $_GET[id] to this $_GET['id'], but it still doesn't work.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.