Problem with PDO and variables,


#21

I understand that, I stopped using wordpress because I got hacked once too many times. I am unaware of any hacking attempts on any of my websites since dumping wordpress. I think the effort required to find a weakness in a one off site is not as lucrative for hackers, but I may be wrong, Up to now none of my sites have had any data not available on the site, but I am starting a project that will require higher levels of security.


#22

Just for info I have

$dsn = "mysql:host=$host;dbname=$db;charset=$charset";
$pdo = new PDO($dsn, $user, $pass, $opt);
$pdo->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
$pdo->setAttribute(PDO::ATTR_EMULATE_PREPARES, false);

$charset = utf8mb4

Is that secure enough or do I need to do more ?


#23

You still need to write secure queries, i.e. properly apply prepared statements where user derived input occurs.


#24

Thanks, I will look into prepared statements in more detail.


#25

#26

I tried the most obvious sql injections and failed on all counts


#27

That's not a proof for security. Think of all the cases you didn't think of.


#28

The simpliest way to determine if you need prepared statements is

  • Does my query require or use user supplied inputs?
  • Does my query use input from a URL source? (Still pertains) to the first bulleted question.
  • Does my query use the WHERE clause?
  • Are these queries being escaped?

If the answer is no above all those, then you aren't required to use prepared statements. But if just 1 bullet is a "yes" for the above, you need to use prepared statements.

I usually look at the query. If my query uses a WHERE clause or a SET clause, I use prepared statements. It's also not hard to prepare a query as well. It is way more simple than having to write 50 lines with ->real_escape_string() or _real_escape_string().


I found this off another forum, but is a really good source to reference when questioning if you need prepared statements or not.


#29

Simple solutions are sometimes the best don't you think, The second line of my script should solve most problems. Exploding the input on all spaces will in effect neutralize any inputs because each space creates a new or individual search query. This occurred to me when I was checking the obvious sql injections.

$s2 = (explode(" ",$s1));

No matter what your input, it becomes an array of individual words, no phrases can survive this as far as I can figure it out. Every SQL query I have seen ever contains spaces. Along with all the other security options I feel pretty safe with this search facility.


#30

One can use escape sequences, so it's possible to pass spaces that explode() doesn't recognise as such.


#31

Code rewritten to use prepared statements. I can't however seem to find a way to create a theres nothing here message when there are no results.

$s1 = $_REQUEST["search1"];
$s2 = (explode(" ",$s1));

include ("navigation/constants.php"); 
		 		
foreach ($s2 as $s2b => $s2a)
	{
	If ($s2b < '1') {
 		$s2c = "SELECT blog_name,blog_url, blog_img, blog_desc FROM blogs WHERE blog_text LIKE ? ";
	}

	If ($s2b > '0') {
 		$s2c = $s2c."AND blog_text LIKE ? ";
	}	
}
	$s2c = $s2c." ORDER by blog_id DESC ";
	
		$sqls= $pdo->prepare($s2c);
	

foreach ($s2 as $s2b => $s2a)
	{
	If ($s2b < '1') {
 		$s2c1 = $s2b + 1;
 		$s2a1 = "%".$s2a."%";
 		 		
 	$sqls->bindParam($s2c1,$s2a1);	
	}

	If ($s2b > '0') {
 		$s2c1 = $s2b + 1;
 		 		
 	$s2a1 = "%".$s2a."%";
 		 		
 	$sqls->bindParam($s2c1,$s2a1);	 		
	}	
}
	 $sqls->execute();
	 
	
				while ($row = $sqls->fetch(PDO::FETCH_ASSOC)) {
					      
					      $k1 = htmlentities($row['blog_name']);
							$k2 = htmlentities($row['blog_url']);
							$k3 = htmlentities($row['blog_img']);
							$k4 = htmlentities($row['blog_desc']);
							
														
	       				 echo "<div id=\"block1\"><div id=\"suba\"><h2>".$k1."</h2>  <a href=\"../blog/".$k2.".html\"><img src=\"../img/".$k3."\" width=\"98%\" align=\"left\" ></a><div id=\"subat\">".$k4." <a href=\"../blog/".$k2.".html\">more about ".$k1."</a></div></div></div>";
	       				 }

#32

@photography please remember to format your code so people can read it - see post #2. I have done it for you this time.


#33

After you execute the query

$found = $sqls->rowCount();

gives the number of rows found by the query, I think.


#34

Here you go:-

SELECT*FROM`table`WHERE`id`='101'

#35

I am now using prepared statements because I wanted to anyway


#36

This topic was automatically closed 91 days after the last reply. New replies are no longer allowed.