views:

51

answers:

2

Or the call to real_escape_string() in such cases is not needed?
/Email value comes from user input./

function findUser($email)  
{   
    $mysqli = connectDB();  
    $email = $mysqli->real_escape_string($email);  
    $query = "CALL FindUser('{$email}')";  
    // ...  
}  
+1  A: 

You are just building a dynamic SQL string that contains a procedure call, which can be attacked. You should bind parameters to the procedure, which gives you some protection, as long as you do not use dynamic SQL within the procedure.

mysqli_stmt::bind_param

Bound Parameters

KM
+1  A: 

Yes, you still need to escape it, the stored procedure is just as vulnerable as a regular query.

UltimateBrent
I thought parameters for stored procedures will be automatically escaped by the database.
z-boss
You would with numbers where you can declare their type, but strings like an email could still be injected against. Consider if they sent the below as their email: [email protected]');DROP TABLE USERS;You're probably thinking of parameter binding, like KM was talking about. That's really the safest way to do it. Takes all the fear out of wondering if you missed a mysql_real_escape_string call somewhere.
UltimateBrent