1

I am working on a dynamic application and I am not sure if parameterized queries are safe from XSS, second order attacks? Can you help me? Thanks!

I have this code as an example:

  $stmt = $mysqli->prepare("INSERT INTO tb (1, 2, 3, 4, 5, 6, 7) VALUES (?, ?, ?, ?, ?, ?, ?)");

    $stmt->bind_param('sssssss', $1, $2, $3, $4, $5, $6, $7);
    $stmt->execute();
    $stmt->close();
Improve this question

2 Answers 2

Reset to default
1

Nope.

A parametrized query protects against SQL Injection; that is it ensures query parameters are well formed and correctly escaped prior to processing by the SQL back end.

XSS is a different class of problem whereby input should be sanitized of HTML markup; given that a correctly parametrized SQL value can still contain markup, you need additional encoding (E.g. htmlspecialchars()).

Improve this answer
Sign up to request clarification or add additional context in comments.

4 Comments

Thanks Alex! The htmlspecialchars() is enough then?
... probably, take a look at How to prevent XSS with HTML/PHP?
XSS and second order attacks are the same thing?
2nd order is a type of XSS attack (the type that applies to the storage of compromised data)
1

Definitely not.

Please don't implement XSS user sanitisation yourself.

Please do use a separate library specifically for this. You're never going to be able to do it catch all the corner cases.

Here is a short-list of some of the corner cases you need to combat against.

Improve this answer

Comments

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.