SitePoint Sponsor

User Tag List

Results 1 to 3 of 3
  1. #1
    *********! *********!!! jackli's Avatar
    Join Date
    Sep 2005
    Posts
    436
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    $PDO->query() prevents injection attacks?

    Just checking, does PDO's query() prevent injection attacks?

    Or, is it in the prepare()

    or a mix of prepare() and execute() ?

  2. #2
    SitePoint Wizard bronze trophy
    Join Date
    Jul 2006
    Location
    Augusta, Georgia, United States
    Posts
    4,194
    Mentioned
    17 Post(s)
    Tagged
    5 Thread(s)
    Binding parameters and using placeholders prevents injection attacks. The query or execute method themselves do not prevent such attacks if user accessible data is embedded in the execution query.

  3. #3
    SitePoint Guru risoknop's Avatar
    Join Date
    Feb 2008
    Location
    end($world)
    Posts
    834
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Only prepared statements prevent SQL injection... because the query and values binded to placeholders are sent separately (as I have been told).

    When using PDO::query(), you must take the same security measures as with old MySQL functions (mysql_real_escape_string()).


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •