Protect against SQL Injection - test with sqlmap

i wish to know if i need protection against sql injection only in the case of the inserts i write, or if it is needed to use prepared statements for all the queries. How do i test it with sqlmap? (localhost)

1 answer

  • answered 2017-06-17 18:33 Rajat Jaiswal

    Use Prepared statements below is an example

    $name = $_GET['username'];
    

    if ($stmt = $mysqli->prepare("SELECT password FROM tbl_users WHERE name=?")) {

    // Bind a variable to the parameter as a string. 
    $stmt->bind_param("s", $name);
    
    // Execute the statement.
    $stmt->execute();
    
    // Get the variables from the query.
    $stmt->bind_result($pass);
    
    // Fetch the data.
    $stmt->fetch();
    
    // Display the data.
    printf("Password for user %s is %s\n", $name, $pass);
    
    // Close the prepared statement.
    $stmt->close();
    

    }