Page 1 of 1
When is PDO injection-safe?
Posted: Tue Jul 22, 2008 12:30 am
by VirtuosiMedia
In reading a lot of articles and documentation on PDO, I've seen it written that it is injection safe. However, it seems to me that it would only be able to prevent injection by using either the quote function or by binding parameters, but not by simply using prepare and execute without any bound parameters or by just using exec. I've never seen an instance where it was written that PDO isn't injection safe, though, so I could be wrong. Does anyone know for certain?
Re: When is PDO injection-safe?
Posted: Tue Jul 22, 2008 1:45 am
by jmut
Well you assumed correct.....when you don't use bind params or quote........ how could possibly to know what is your input and not so that it escapes correctly.
If you directly provide query with your input directly there.... this whole is substituded as string before even gets to pdo.... so cannnot guess whats to be escaped.
With this bindings , quotes, you explicitly tell it what you expect escaped.
Re: When is PDO injection-safe?
Posted: Tue Jul 22, 2008 3:16 am
by Mordred
Also, if you want to parametrize things that are not values, PDO helps you none, and you're back to the same concerns that old-school dynamic SQL queries have.
Read my
paper for examples.