This question already has answers here:
How can I prevent SQL injection in PHP?
(27 answers)
PDO prepared statement - what are colons in parameter names used for?
(6 answers)
PDO closing connection
(6 answers)
Closed 5 years ago.
I am using PDOs first time on my project and have some confusions in my mind and wanted to clarify:
Everyone recommends PDOs because it prevents from SQL injection so
Do we need to apply other functions before making query like strip_tags OR they aren't necessary with PDOs?
What is different betweeen :username and username?
Example:
$stmt = $db->prepare("SELECT id FROM USERS WHERE username=:username);
$stmt->bindParam(":username", $username);
$stmt->bindParam("username", $username);
Does this prevent from SQL injection? PDO::PARAM_STR which is used as third parameter in bindParam statement
Is it necessary to close connection by setting connection object to null in end? like
$db = null;
Related
This question already has answers here:
How can I prevent SQL injection in PHP?
(27 answers)
Closed 4 years ago.
most of the time I've been doing SQL like this:
$pdo = new PDO($dsn, $usr, $pass);
$qry = 'SELECT * FROM `my_table` WHERE `pk_id` = '. $id .';';
$res = $pdo->query($qry);
but recently I've seen a few posts showing that the only way to be safe is using prepared statements - this isn't an issue really for me, and this probably has an answer, just one I couldn't find from Googling around.
surely, if all of my statements, end in .';' using concat is ok?
Thanks,
No.
In SQL, it does not give an error if you supply two semi colons at the end of your query.
So if a user could pass along this:
1; DROP TABLE users;
it will have the same consequences, with or without the semi colon in your code added at the end.
The huge benefit of prepared statements is that no data is being altered. It just simply sends two queries.
Here is a a nice source which contains a lot of SQL injection examples.
This question already has answers here:
How can I prevent SQL injection in PHP?
(27 answers)
Closed 5 years ago.
I have been given a project to complete, in the backend there are SQL statements doing various things, as you'd expect.
In the past I have used PDO to construct SQL queries that use parameterisation to avoid injection attacks.
Whilst reading through the code I noticed many queries in the form of:
$sql = "SELECT * FROM detail WHERE email ='$email'";
$query = mysqli_query($dbcon, $sql);
With no parameterisation or cleaning of input.
Is this type of query vulnerable, should there not be some form of parameterisation and more importantly should I explain the risks involved as it seems the developer was unaware of the risk.
Yes it is,
But you can use this with mysqli : http://php.net/manual/en/mysqli.prepare.php
So with your data it will be like :
$prepare = $dbcon->prepare("SELECT * FROM detail WHERE email = ?");
$prepare->bind_param("s", $email);
$prepare->execute();
This question already has answers here:
How to echo a MySQLi prepared statement?
(6 answers)
Closed 5 years ago.
Is there any function that will return the prepared query string after processing all the parameters. like
$stmt = $conn->prepare("SELECT full_name FROM user_info where user_id = ?");
$stmt->bind_param("s", $user_id);
Can I see the final query string that will execute?
If the driver is capable of using prepared statements, if it doesn't require emulation, then the final query executed is the prepared statement.
If you want to find out what was executed, you need to turn on the general query log on your server. That can be very, very noisy and fill up your disk quickly on a busy server.
This question already has answers here:
How can I prevent SQL injection in PHP?
(27 answers)
Closed 6 years ago.
If you use htmlspecialchars() when receiving input from the user, like:
$email = htmlspecialchars($_POST['email']);
Should you use a prepared statement if the query is just a SELECT one?
You should always use prepared statements. Here's an exemple:
if user inputs the following:
"105 or 1=1"
The htmlspecialchars() function won't do anything to it.
The query would look like:
SELECT * FROM Users WHERE UserId = 105 or 1=1
See this doc
This question already has answers here:
How can I prevent SQL injection in PHP?
(27 answers)
Closed 8 years ago.
Is there a way to restrict php pdo execute() to run just the first sql statement?
For instance running
SELECT * FROM customer;DROP TABLE invoice
will return all customers but it will also delete the invoice table.
I have a situation where I need a whole SQL statement from a user but it must be a SELECT and nothing additional.
My example is just one of many that could be maliciously entered. It might include additional DROP, UPDATE, DELETE statements etc.
A prepared statement will simply replace ?s with values. It will not stop dangerous SQL statemets being passed to it.
This would not be a problem if there was a way to restrict php pdo execute() to run just the first sql statement?
IF your trying to prevent SQL injection, prepare statements can handle it.
you can use something like this to prevent SQL injection
$stmt = $db->prepare("SELECT * FROM table WHERE id=? AND name=?");
$stmt->bindValue(1, $id, PDO::PARAM_INT);
$stmt->bindValue(2, $name, PDO::PARAM_STR);
$stmt->execute();
$rows = $stmt->fetchAll(PDO::FETCH_ASSOC);