SitePoint Sponsor

User Tag List

Results 1 to 6 of 6
  1. #1
    SitePoint Enthusiast
    Join Date
    Aug 2009
    Location
    Limbo
    Posts
    41
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    Filtering user info or PDO does it all?

    Hey everyone.

    I've read time and time again that PDO does filter through many SQL type injections.
    I'm just wondering if I still should be using mysql_Real_esecape_string or any other like htmlentities.

    I'm releasing a new site out that right now only uses PDO and I'm wondering whether it's secure for public usage.

    Thanks.

  2. #2
    . shoooo... silver trophy logic_earth's Avatar
    Join Date
    Oct 2005
    Location
    CA
    Posts
    9,013
    Mentioned
    8 Post(s)
    Tagged
    0 Thread(s)
    Using prepared statements are not vulnerable to SQL injections, at all. Only if you embed user submitted data into the SQL query itself will you have a vulnerability.
    Logic without the fatal effects.
    All code snippets are licensed under WTFPL.


  3. #3
    Hosting Team Leader silver trophybronze trophy
    cpradio's Avatar
    Join Date
    Jun 2002
    Location
    Ohio
    Posts
    5,234
    Mentioned
    154 Post(s)
    Tagged
    0 Thread(s)
    You will still need to perform htmlentities, but you do not need mysql_real_escape_string. htmlentities protects against XSS attacks (not SQL injections), thus why that is still needed. PDO does handle the mysql_real_escape_string, so long as you either 1) use prepared statements with bindValue or bindParam, or 2) use prepared statements and passing the parameters as an array to execute.

    Concatenating a string and using query() is not protected.

  4. #4
    SitePoint Enthusiast
    Join Date
    Aug 2009
    Location
    Limbo
    Posts
    41
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Okay thanks a bunch guys.

    Also about htmlentities... They do put in front slashes in from of ' and ". How do I take those off when I want to retrieve that data?

    Thanks a bunch.

  5. #5
    Hosting Team Leader silver trophybronze trophy
    cpradio's Avatar
    Join Date
    Jun 2002
    Location
    Ohio
    Posts
    5,234
    Mentioned
    154 Post(s)
    Tagged
    0 Thread(s)
    using html_entity_decode(), but keep in mind, doing that will reintroduce an XSS attack unless you use strip_tags to remove non-essential HTML markup.

  6. #6
    Programming Since 1978 silver trophybronze trophy felgall's Avatar
    Join Date
    Sep 2005
    Location
    Sydney, NSW, Australia
    Posts
    16,868
    Mentioned
    25 Post(s)
    Tagged
    1 Thread(s)
    htmlentities if for escaping data when you output it as HTML - so that it will display properly - it has nothing to do with inserting the data in the database.

    You need to VALIDATE the data when someone first inputs it - there is no point in protecting against SQL injection if you still allow someone to fill your database with meaningless junk.
    Stephen J Chapman

    javascriptexample.net, Book Reviews, follow me on Twitter
    HTML Help, CSS Help, JavaScript Help, PHP/mySQL Help, blog
    <input name="html5" type="text" required pattern="^$">


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •