Can you “SQL Inject” a PHP Variable Comparison?

Question

So something that I have been wondering about while working on a current project is if a simple variable comparison is in danger of \"SQL Injection\" type attacks when one o

Answer 1

If you use prepared statements and pass the input as parameters to the prepared statement, you’re safe from SQL injections. The parameters should be handled properly and it should not be possible that fragments of the passed parameters are interpreted as SQL code instead of data. That’s the exact point of parameterization, i. e., the separation of code and data parameters.

So it should not be possible to inject anything into the query. However, you should not store the passwords in plaintext but in a irreversible form as a hash using an appropriate hash function.

---

As for your question whether an injection is also possible in PHP itself: Yes, code injection can happen in any code that gets generated dynamically, so even in PHP.

However, you would need not just to generate the code dynamically but also execute it. PHP has some functions that execute PHP), e. g., the eval function. However, you would probably not use constructs like this:

if (eval("return '$pass' === '$checkPermRow[pass]';"))

This would be vulnerable to PHP code injection and a a' == 'a' || 'a would result in something like:

return 'a' == 'a' || 'a' === 'password from database';