Do I need to use mysql_real_escape_string() on my input (such as $_POST and $_GET) when I use the PDO library?
How do I properly escape user input with PDO?
If you use PDO you can parametize your queries, removing the need to escape any included variables.
See here for a great introductory tutorial for PDO.
Using PDO you can seperate the SQL and passed parameters using prepared statements, this removes the need to escape strings, as because the two are held seperately then combined at execution, the parameters are automatically handled as stings, from the above source:
// where $dbh is your PDO connection
$stmt = $dbh->prepare("SELECT * FROM animals WHERE animal_id = :animal_id AND animal_name = :animal_name");
/*** bind the paramaters ***/
$stmt->bindParam(':animal_id', $animal_id, PDO::PARAM_INT);
$stmt->bindParam(':animal_name', $animal_name, PDO::PARAM_STR, 5);
/*** execute the prepared statement ***/
$stmt->execute();
Note: sanitization occurs during variable binding ($stmt->bindParam)
Other resources:
http://net.tutsplus.com/tutorials/php/why-you-should-be-using-phps-pdo-for-database-access/
http://www.phpeveryday.com/articles/PDO-Prepared-Statement-P550.html
http://php.net/manual/en/pdo.prepared-statements.php
The important point when using PDO is:
PDO will only sanitize it for SQL, not for your application.
So yes, for writes, such as INSERT or UPDATE, it’s especially critical to still filter your data first and sanitize it for other things (removal of HTML tags, JavaScript, etc).
<?php
$pdo = new PDO(...);
$stmt = $pdo->prepare('UPDATE users SET name = :name WHERE id = :id');
$id = filter_input(INPUT_GET, 'id', FILTER_SANITIZE_NUMBER_INT); // <-- filter your data first
$name = filter_input(INPUT_GET, 'name', FILTER_SANITIZE_STRING); // <-- filter your data first
$stmt->bindParam(':id', $id, PDO::PARAM_INT); // <-- Automatically sanitized for SQL by PDO
$stmt->bindParam(':name', $name, PDO::PARAM_STR); // <-- Automatically sanitized for SQL by PDO
$stmt->execute();
Without sanitizing the user input, a hacker could have saved some javascript into your database and then, when output it into your site you would have been exposed to a threat!
http://www.phptherightway.com/#pdo_extension
Related
I am trying to be safe from Sql Injection by doing prepared statements + binding on all Database save/update/query actions.
But I got stuck in the moment in which the table name + user_id are variables. code:
// ALL USUAL $dbc MySqli DATABASE CONNECTION - then code statement prepare:
$stmt = $dbc->prepare("UPDATE ".$tablex." SET logo=?, last_mod=? WHERE ".$table_id."=?");
// or: $stmt = $dbc->prepare("UPDATE $tablex SET logo=?, last_mod=? WHERE $table_id=?"); same thing
$stmt->bind_param('ssi', $log_logo, $last_mod, $user_id);
// execute and do some checking
$status_save = $stmt->execute();
if ($status_save === false) {trigger_error($stmt->error, E_USER_ERROR);}
It has worked fine so far as long as $tablex and $table_id were known. Now they can have different names, and using a variable sets things wrong. What am I doing wrong here? Tx.
So I understand PDO Prepared Statements should protect from SQL injection and ' escapes. But when I attempted the following...
if ($_SERVER["REQUEST_METHOD"] == "POST" && isset($_POST["id"]))
{
$id = $_POST["id"];
//$id = "2' AND name='Entry2";
$someinfo = "updated";
...DB Stuff...
$conn = new PDO("mysql:host=$servername;dbname=$dbname", $username, $dbpassword);
$stmt = $conn->prepare("UPDATE testdb SET info=:someinfo WHERE id=:id");
$stmt->bindParam(':id', $id);
$stmt->bindParam(':someinfo', $someinfo);
$stmt->execute();
$conn = null;
exit();
}
Then the row with id=2 and name=entry2 would be updated. Now it doesn't seem like this can be used to escape into other SQL queries, and I assume I can take precautions to ensure this kind of escape can't really do damage. But I wanted to be sure that there wasn't some other way to prevent ' escapes making unexpected changes to SQL query parameters. (Worth noting, I tried something similar in SQLi and got pretty much the same result.)
Is there something I'm missing? Or is this just the way Prepared Statements work.
After looking around some more, this behavior was eloquently explained/solved for me here:
https://phpdelusions.net/pdo#comment-277
It turns out it's not escaping the string, but instead truncating input after the integer which just made it appear to escape the string. I was able to confirm this upon modifying the code.
I'm currently writing a CMS and I want to prevent SQL injection.
I have the variable $url_variable which is a $_GET. Now I want to prepare the statement and search for the $url_variable in my table.
$stmt = $db_connect->prepare("SELECT * FROM $url_table WHERE url = ?");
$url_variable = $stmt->quote($url_variable);
$stmt->bind_param("s", $url_variable);
Now my questions: Is this code above right? Do I need the quote? And is it safe from any SQL injection?
You should create a whitelist for your $url_table variable and check if the table name is in your whitelist before you use it in your query. For example, you can do so with a simple if check:
if ($url_table == 'allowedTableName' || $url_table == 'anotherAllowedTableName')
{
$stmt = $db_connect->prepare("SELECT * FROM $url_table WHERE url = ?");
$stmt->bind_param("s", $url_variable);
//........
}
else {
die('Illegal table name provided');
}
You shouldn't quote your variable that is bound, you are good to go with the prepared statement!
Using bind_param protects those parameters from SQL injection. You don't need $stmt->quote, and it can actually cause the query to fail. It will add escape characters, and when you use bind_param it will search for these characters literally.
In this code:
if you use Url_Variable by method GET can be added strip_tags or htmlenteties to remove/prevent cross-site-scripting attacks by completely removing any HTML and PHP tags it finds, as in:
$url_variable=$_GET['url_variable'];
$url_variable=strip_tags($url_variable);
This is to avoid mal program/script.
More secure will be handled by prepared statements, as in:
$stmt = $db_connect->prepare("SELECT * FROM $url_table WHERE url = ?");
$stmt->bind_param("s", $url_variable);
Therefore, no need to use Quote in Mysqli since it has been used prepared statements and bind the parameters to ensure that you don't forget to escape a particular string which is led to a potential security problem.
You shouldn't quote bind variables in prepared statements - the statement takes care of that for you:
$stmt = $db_connect->prepare("SELECT * FROM $url_table WHERE url = ?");
$stmt->bind_param("s", $url_variable);
I have many functions like
updateUser($id,$username,$email)
updateMusic($id, $music)
etc...
Is there a generic function to avoid SQL injections ?
I just want to avoid using mysql_real_escape_string for each parameter I have
$username = mysql_real_escape_string($username);
$email= mysql_real_escape_string($email);
$music= mysql_real_escape_string($music);
ALWAYS use prepared statements
Do NOT use mysql driver, use mysqli or PDO
You should use parameterization and let the database driver handle it for you, i.e. with PDO:
$dbh = new PDO('mysql:dbname=testdb;host=127.0.0.1', $user, $password);
$stmt = $dbh->prepare('INSERT INTO REGISTRY (name, value) VALUES (:name, :value)');
$stmt->bindParam(':name', $name);
$stmt->bindParam(':value', $value);
// insert one row
$name = 'one';
$value = 1;
$stmt->execute();
Code from Bobby-Tables.
you may use,
list($id,$music) = array_map('mysql_real_escape_string',array($id,$music))
but prepared statements rocks
No there isn't, but you can parse all your inputs ( eg. GET and POST ) at beggining of the script
I'm using PDO and was under the impression that prepare escaped apostrophes but I can see that isn't the case. what do I use to escape my strings for apostrophes?
$sql = 'SELECT test FROM test WHERE id = :id';
$sth = $dbh->prepare($sql);
$sth->execute(array(':id' => 1));
$red = $sth->fetchAll();
I suspect that whilst you might be using a prepared statement, you are not binding parameters. For example, instead of
$val = "Some string with an a'postrophe in it";
$stmt = $pdo->prepare("UPDATE table SET col = '$val'");
$stmt->execute();
You should use
$val = "Some string with an a'postrophe in it";
$stmt = $pdo->prepare('UPDATE table SET col = :val');
$stmt->bindParam('val', $val);
$stmt->execute();
or at least
$val = "Some string with an a'postrophe in it";
$stmt = $pdo->prepare('UPDATE table SET col = :val');
$stmt->execute(array('val' => $val));
This is using named parameters but you can also use positional ones using ? as a placeholder
I am not sure I understand your question, but this might help with PDO escaping:
PDO::quote($data)
I Suspect you are not using preparred statements correctly, or there is something wrong with your code.
The docs specifically states:
The parameters to prepared statements
don't need to be quoted; the driver
automatically handles this. If an
application exclusively uses prepared
statements, the developer can be sure
that no SQL injection will occur
(however, if other portions of the
query are being built up with
unescaped input, SQL injection is
still possible).