发表新帖
发表新帖

What is PDO, how is it related with SQL injection, and why I should use this?

前端 未结
关注
2 1653
误落风尘
误落风尘 2020-12-12 06:00

Actually I did google and got so many results, but I can\'t understand, because I\'m new in this field.

So what is an easy way that what is PDO, why I should use thi

相关标签:
2条回答
  • 情书的邮戳
    2020-12-12 06:36

    Simply imagine this user input: "1'); TRUNCATE TABLE accounts; --", with your statement, if the user know what db structure you have, can easily drop everything from the db (assuming the db user have the authorizations.

    Never use the user input directly in a sql query as you've done, always escape/cast before use.

    PDO - PHP Data Objects - is a database access layer providing a uniform method of access to multiple databases.

    It doesn't account for database-specific syntax, but can allow for the process of switching databases and platforms to be fairly painless, simply by switching the connection string in many instances.

    Please read this link carefully, it explains why pdo should be used in php

    0 讨论(0)
  • 误落风尘
    2020-12-12 06:50

    PDO - PHP Data Objects is a database access layer providing a uniform method of access to multiple databases.

    It doesn't account for database-specific syntax, but it can allow for the process of switching databases and platforms to be fairly painless, simply by switching the connection string in many instances.

    Enter image description here

    Prepared statements / parameterized queries are sufficient to prevent first-order injection on that statement. If you use un-checked dynamic SQL anywhere else in your application you are still vulnerable to second-order injection.

    Second-order injection means data has been cycled through the database once before being included in a query, and is much harder to pull off. AFAIK, you almost never see real second-order attacks, as it is usually easier to social-engineer your way in.

    PDO is a bit slower than the mysql_*. But it has great portability. PDO provides single interface across multiple databases. That means you can use multiple DB without using mysql_query for mysql, mssql_query for SQL Server, etc. Just use something like $db->query("INSERT INTO...") always. No matter what database driver you are using.

    So, for larger or portable project PDO is preferable. Even Zend Framework uses PDO.

    SQL Injection

    SQL Injection

    SQL injection is a technique where malicious users can inject SQL commands into an SQL statement, via web page input.

    Injected SQL commands can alter SQL statement and compromise the security of a web application.

    Are PDO prepared statements sufficient to prevent SQL injection?

    The short answer is NO, PDO prepares will not defend you from all possible SQL-Injection attacks. Attacks example

    How to use PDO?

    An example:

    $stmt = $dbh->prepare("SELECT * FROM tables WHERE names = :name");
$stmt->execute(array(':name' => $name));

    References

    • http://code.tutsplus.com/tutorials/pdo-vs-mysqli-which-should-you-use--net-24059
    • http://code.tutsplus.com/tutorials/why-you-should-be-using-phps-pdo-for-database-access--net-12059
    • Are PDO prepared statements sufficient to prevent SQL injection?
    • http://php.net/manual/en/book.pdo.php
    0 讨论(0)
 看不清?
提交回复
热议问题