Possible SQL injection dropping a table with stored procedure?

Question

Given this MySQL stored procedure:

CREATE PROCEDURE customer.`getCustomers5`(
sdf varchar(1000)
)
BEGIN

set @se  = concat('select * from customer.customertbl where id=', sdf);


PREPARE stm1 from @se;

EXECUTE  stm1;

END;

Is it possible to do SQL injection into this store procedure even if the front end that called this stored procedure uses PDO parameter/data binding?

I need to build a query dynamically (dynamic where clause) before calling it.

if it's possible to do SQL injection, is there any method to counter this problem?

Answer 1

You are just using prepared statements wrong.
You have to bind parameters, not concatenate them.

DELIMITER // 
CREATE PROCEDURE customer.`getCustomers5`(sdf varchar(1000)) 
BEGIN 
  PREPARE stm1 from 'select * from customer.customertbl where id=?'; 
  SET @a = sdf;
  EXECUTE stm1 using @a; 
END//
DELIMITER ;

Answer 2

If your parameter is varchar and you send a string, then yes, it is possible because even if you use PDO, it would still be a ANY string.

You should define sdf as your id type (is it integer? if not, make it integer!) and then the PDO parameter will be escaped and avoid SQL Injection.

A good practice is to avoid creating dynamic queries in a Stored Procedure and build the query in your application.