Hey everyone.
I’ve read time and time again that PDO does filter through many SQL type injections.
I’m just wondering if I still should be using mysql_Real_esecape_string or any other like htmlentities.
I’m releasing a new site out that right now only uses PDO and I’m wondering whether it’s secure for public usage.
Thanks.
Using prepared statements are not vulnerable to SQL injections, at all. Only if you embed user submitted data into the SQL query itself will you have a vulnerability.
You will still need to perform htmlentities, but you do not need mysql_real_escape_string. htmlentities protects against XSS attacks (not SQL injections), thus why that is still needed. PDO does handle the mysql_real_escape_string, so long as you either 1) use prepared statements with bindValue or bindParam, or 2) use prepared statements and passing the parameters as an array to execute.
Concatenating a string and using query() is not protected.
Okay thanks a bunch guys.
Also about htmlentities… They do put in front slashes in from of ’ and ". How do I take those off when I want to retrieve that data?
Thanks a bunch.
using html_entity_decode(), but keep in mind, doing that will reintroduce an XSS attack unless you use strip_tags to remove non-essential HTML markup.
htmlentities if for escaping data when you output it as HTML - so that it will display properly - it has nothing to do with inserting the data in the database.
You need to VALIDATE the data when someone first inputs it - there is no point in protecting against SQL injection if you still allow someone to fill your database with meaningless junk.