When is PDO injection-safe?

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
User avatar
VirtuosiMedia
Forum Contributor
Posts: 133
Joined: Thu Jun 12, 2008 6:16 pm

When is PDO injection-safe?

Post by VirtuosiMedia »

In reading a lot of articles and documentation on PDO, I've seen it written that it is injection safe. However, it seems to me that it would only be able to prevent injection by using either the quote function or by binding parameters, but not by simply using prepare and execute without any bound parameters or by just using exec. I've never seen an instance where it was written that PDO isn't injection safe, though, so I could be wrong. Does anyone know for certain?
jmut
Forum Regular
Posts: 945
Joined: Tue Jul 05, 2005 3:54 am
Location: Sofia, Bulgaria
Contact:

Re: When is PDO injection-safe?

Post by jmut »

Well you assumed correct.....when you don't use bind params or quote........ how could possibly to know what is your input and not so that it escapes correctly.
If you directly provide query with your input directly there.... this whole is substituded as string before even gets to pdo.... so cannnot guess whats to be escaped.
With this bindings , quotes, you explicitly tell it what you expect escaped.
User avatar
Mordred
DevNet Resident
Posts: 1579
Joined: Sun Sep 03, 2006 5:19 am
Location: Sofia, Bulgaria

Re: When is PDO injection-safe?

Post by Mordred »

Also, if you want to parametrize things that are not values, PDO helps you none, and you're back to the same concerns that old-school dynamic SQL queries have.
Read my paper for examples.
Post Reply