Is this code using PDO secure? [duplicate] - php

This question already has answers here:
Are PDO prepared statements sufficient to prevent SQL injection?
(7 answers)
Closed 9 years ago.
I am new to PDO. As I heard PDO can prevent SQL injection attack.
Here's what I have written:
$db = new PDO('mysql:host=192.168.57.36; dbname=somedb; charset=UTF8', 'user1', 'pass1');
$sql = "SELECT * FROM table1 WHERE id = ?";
$stmt = $db->prepare($sql);
$stmt->execute(array($tid));
Is it a secure code ? I guess prepared should do some securing acts but the variable is passed to query after it.
Shoud I use addParam before execution method?
Thank you.

Shoud I use addParam before execution method?
No.
Passing a variable into execute does pretty the same.
There could be other issues though, you can read on them here

Related

How to i prevent sql injection from this code , please add your suggestions in my code [duplicate]

This question already has answers here:
How can I prevent SQL injection in PHP?
(27 answers)
Closed 5 years ago.
<?php
// I fetching data from sql table "product".i want to prevent all unwanted characters and all.please add your suggestions in my code.
if(isset($_GET['search'])){
$search_query = $_GET['user_query'];
$get_pro = "select * from product where title like '%$search_query%'";
$run_pro = mysqli_query($con, $get_pro);
while($row_pro=mysqli_fetch_array($run_pro)){
$pro_title = $row_pro['title'];
echo " <span>$pro_title</span> "
}
}
?>
To prevent SQL Injection PDO(PHP Data Objects) is the best way to go. PDO gives more flexibilty to the programmer as if you want to switch your project to use another database, PDO makes the process very easy. You only have to change the connection string and a few queries.
If your project is in initial stage and you want to attain more flexibility I'll highly recommend to switch over to PDO. To know more about PDO you can refer to this link How does PHP PDO's prepared statements prevent sql injection? What are other benefits of using PDO? Does using PDO reduce efficiency?
Okay coming back to the problem you asked. To prevent SQL injection in mysqli interface you could use mysqli_real_escape_string() function which takes two args:
connection- Specifies the MySQL connection to use(required)
escapestring- The string to be escaped(required)
After this step your code will look like this-
$search_query = mysqli_real_escape_string($conn, $_GET['user_query']);
where $conn will be your connection handle.
You can append the '%' operator after this step and can use the result to perform the query.

Why mysql_real_escape_string not work on MySQLi? [duplicate]

This question already has answers here:
Can I mix MySQL APIs in PHP?
(4 answers)
Closed 6 years ago.
Why mysql_real_escape_string not work on MySQLi ?
When i use MySQL , i can use this code.
$test = mysql_real_escape_string($_POST[test]);
But When i update to use MySQLi. I tried to use
$test = mysql_real_escape_string($_POST[test]);
But not work.
How can i use mysql_real_escape_string on MySQLi ?
if cannot use mysql_real_escape_string on MySQLi , How can i protect SQL Injection ?
Now i use
$test = $_POST[test];
It's very bad for SQL Injection.
How can i use mysql_real_escape_string on MySQLi?
Answer:
OOP Approach:
$test = $conn -> real_escape_string($_POST['test']);
Procedural Approach: $test = mysqli_real_escape_string($conn,$_POST['test']);
You are also asking on how can you protect from SQL Injection
Answer: If you are going to use mysqli_* then you should use parameterized queries
http://php.net/manual/en/mysqli.real-escape-string.php

what is correct way to do this php code [duplicate]

This question already has answers here:
How can I prevent SQL injection in PHP?
(27 answers)
Closed 8 years ago.
I have this query
$query = "SELECT * FROM customers WHERE customer_name = '{$orders}'";
but when the value of the $orders have a single quote(') for example:
$orders = "Carlo's shop";
the query return an error.
is there any good way to handle this situation?
Use PDO with prepared statements. See reference docs.
$query = $pdo->prepare('SELECT * FROM customers WHERE customer_name= :orders');
$query->execute(array('orders' => $orders));
You can also look into using mysqli with prepared statements.

How to escape strings in pdo? [duplicate]

This question already has answers here:
Real escape string and PDO [duplicate]
(3 answers)
Closed 10 years ago.
I would like to know how to escape strings in pdo .
I have been escaping the springs like in the code bellow but now with pdo I do not know how to do it
$username=(isset($_POST['username']))? trim($_POST['username']): '';
$previlage =(isset($_GET['previlage']));
$query ="SELECT * FROM site_user
WHERE username = '".mysql_real_escape_string($_SESSION['username'])."' AND previlage ='Admin'";
$security = mysql_query($query)or die (mysql_error($con));
$count = mysql_num_rows($security);
Well, you can use PDO::quote, but, as said in its own docpage...
If you are using this function to build SQL statements, you are
strongly recommended to use PDO::prepare() to prepare SQL statements
with bound parameters instead of using PDO::quote() to interpolate
user input into an SQL statement.
In your case it can look like this:
$query = "SELECT *
FROM site_user
WHERE username = :username AND previlage = 'Admin'";
$sth = $dbh->prepare($query);
$sth->execute(array(':username' => $_SESSION['username']) );
mysql_* function will not work in PDO. WHY? Because PDO doesnt use mysql to connect to a databases, as far as input sanitization, PDO uses prepared statements you can find a good tutorial for that here: pdo

How to safely escape the input data in php for mysql [duplicate]

This question already has answers here:
How can I prevent SQL injection in PHP?
(27 answers)
Closed 2 years ago.
Which means, at the moment, are the safest for screening data in php to send them to the mysql database.
Thank, you )
I believe mysql_real_escape_string() mysqli_real_escape_string() is the best way to escape input data
Later edit since everything is deprecated now and information must be valid:
Try to use PDO as prepared statements are much safer or mysqli_*() functions if you really need to keep old code somewhat up-to-date.
Currently the most preferred way to insure your safety is prepared statements.
example:
$preparedStatement = $db->prepare('SELECT * FROM memebers WHERE username = :username');
$preparedStatement->execute(array(':username' => $username));
$rows = $preparedStatement->fetchAll();
then when displaying your data use htmlspecialchars()
validMySQL($var) {
$var=stripslashes($var);
$var=htmlentities($var);
$var=strip_tags($var);
$var=mysql_real_escape_string($var);
return $var
}
The above code helps to sanitize most invalid data, just remember that you've to be connected to mysql database for mysql_real_escape_string to work...

Categories