Is this really sql injection proof? [duplicate]












0
















This question already has an answer here:




  • How can I prevent SQL injection in PHP?

    28 answers



  • SQL injection that gets around mysql_real_escape_string()

    5 answers




So I have a UTF8MB4 database on phpMyAdmin for MySQL, and I'm using PDO in PHP for interacting with my database, and I really want to know, just to be 100% sure that the 'bindValue' function really escapes data, I've heard that the SQL Query and the data is sent differently but I want to know if it's true, is there any way 'bindValue' can be bypassed where SQL injection can occur?



Example Code:



$db = new PDO(...);

//Notice how I'm not sanitizing $_GET, is this okay?
$query = $db->prepare("SELECT * FROM table WHERE Username = :username");
$query->bindValue(":username", $_GET["username"]);
$query->execute();
echo "Rows: " . $query->rowCount();

while($row = ...) {
echo $row["Username"];
}









share|improve this question















marked as duplicate by Shadow mysql
Users with the  mysql badge can single-handedly close mysql questions as duplicates and reopen them as needed.

StackExchange.ready(function() {
if (StackExchange.options.isMobile) return;

$('.dupe-hammer-message-hover:not(.hover-bound)').each(function() {
var $hover = $(this).addClass('hover-bound'),
$msg = $hover.siblings('.dupe-hammer-message');

$hover.hover(
function() {
$hover.showInfoMessage('', {
messageElement: $msg.clone().show(),
transient: false,
position: { my: 'bottom left', at: 'top center', offsetTop: -7 },
dismissable: false,
relativeToBody: true
});
},
function() {
StackExchange.helpers.removeMessages();
}
);
});
});
Nov 25 '18 at 19:55


This question has been asked before and already has an answer. If those answers do not fully address your question, please ask a new question.














  • 1





    You may want to look at this Q&A here on Stack.

    – Funk Forty Niner
    Nov 25 '18 at 19:51











  • The accepted answer there is about a WRONG use of mysql_real_escape_string, which isn't even mentioned here.

    – Walter Tross
    Nov 25 '18 at 19:58






  • 1





    The parameters to prepared statements don't need to be quoted; the driver automatically handles this. If an application exclusively uses prepared statements, the developer can be sure that no SQL injection will occur (however, if other portions of the query are being built up with unescaped input, SQL injection is still possible). php.net/manual/en/pdo.prepared-statements.php

    – Alon Eitan
    Nov 25 '18 at 20:07













  • @WalterTross I think you should read more into it (the 2nd duplicate which I added). I too had mixed thoughts about that and another member here on Stack shone some light on the subject. Just because someone uses PDO with a prepared statement, doesn't mean they're not open to injection. If used correctly, mysql_real_escape_string() can be used to help against an sql injection. Fact of the matter, this is for any mysql api.

    – Funk Forty Niner
    Nov 25 '18 at 20:09











  • @FunkFortyNiner I disagree

    – Walter Tross
    Nov 26 '18 at 7:54
















0
















This question already has an answer here:




  • How can I prevent SQL injection in PHP?

    28 answers



  • SQL injection that gets around mysql_real_escape_string()

    5 answers




So I have a UTF8MB4 database on phpMyAdmin for MySQL, and I'm using PDO in PHP for interacting with my database, and I really want to know, just to be 100% sure that the 'bindValue' function really escapes data, I've heard that the SQL Query and the data is sent differently but I want to know if it's true, is there any way 'bindValue' can be bypassed where SQL injection can occur?



Example Code:



$db = new PDO(...);

//Notice how I'm not sanitizing $_GET, is this okay?
$query = $db->prepare("SELECT * FROM table WHERE Username = :username");
$query->bindValue(":username", $_GET["username"]);
$query->execute();
echo "Rows: " . $query->rowCount();

while($row = ...) {
echo $row["Username"];
}









share|improve this question















marked as duplicate by Shadow mysql
Users with the  mysql badge can single-handedly close mysql questions as duplicates and reopen them as needed.

StackExchange.ready(function() {
if (StackExchange.options.isMobile) return;

$('.dupe-hammer-message-hover:not(.hover-bound)').each(function() {
var $hover = $(this).addClass('hover-bound'),
$msg = $hover.siblings('.dupe-hammer-message');

$hover.hover(
function() {
$hover.showInfoMessage('', {
messageElement: $msg.clone().show(),
transient: false,
position: { my: 'bottom left', at: 'top center', offsetTop: -7 },
dismissable: false,
relativeToBody: true
});
},
function() {
StackExchange.helpers.removeMessages();
}
);
});
});
Nov 25 '18 at 19:55


This question has been asked before and already has an answer. If those answers do not fully address your question, please ask a new question.














  • 1





    You may want to look at this Q&A here on Stack.

    – Funk Forty Niner
    Nov 25 '18 at 19:51











  • The accepted answer there is about a WRONG use of mysql_real_escape_string, which isn't even mentioned here.

    – Walter Tross
    Nov 25 '18 at 19:58






  • 1





    The parameters to prepared statements don't need to be quoted; the driver automatically handles this. If an application exclusively uses prepared statements, the developer can be sure that no SQL injection will occur (however, if other portions of the query are being built up with unescaped input, SQL injection is still possible). php.net/manual/en/pdo.prepared-statements.php

    – Alon Eitan
    Nov 25 '18 at 20:07













  • @WalterTross I think you should read more into it (the 2nd duplicate which I added). I too had mixed thoughts about that and another member here on Stack shone some light on the subject. Just because someone uses PDO with a prepared statement, doesn't mean they're not open to injection. If used correctly, mysql_real_escape_string() can be used to help against an sql injection. Fact of the matter, this is for any mysql api.

    – Funk Forty Niner
    Nov 25 '18 at 20:09











  • @FunkFortyNiner I disagree

    – Walter Tross
    Nov 26 '18 at 7:54














0












0








0


1







This question already has an answer here:




  • How can I prevent SQL injection in PHP?

    28 answers



  • SQL injection that gets around mysql_real_escape_string()

    5 answers




So I have a UTF8MB4 database on phpMyAdmin for MySQL, and I'm using PDO in PHP for interacting with my database, and I really want to know, just to be 100% sure that the 'bindValue' function really escapes data, I've heard that the SQL Query and the data is sent differently but I want to know if it's true, is there any way 'bindValue' can be bypassed where SQL injection can occur?



Example Code:



$db = new PDO(...);

//Notice how I'm not sanitizing $_GET, is this okay?
$query = $db->prepare("SELECT * FROM table WHERE Username = :username");
$query->bindValue(":username", $_GET["username"]);
$query->execute();
echo "Rows: " . $query->rowCount();

while($row = ...) {
echo $row["Username"];
}









share|improve this question

















This question already has an answer here:




  • How can I prevent SQL injection in PHP?

    28 answers



  • SQL injection that gets around mysql_real_escape_string()

    5 answers




So I have a UTF8MB4 database on phpMyAdmin for MySQL, and I'm using PDO in PHP for interacting with my database, and I really want to know, just to be 100% sure that the 'bindValue' function really escapes data, I've heard that the SQL Query and the data is sent differently but I want to know if it's true, is there any way 'bindValue' can be bypassed where SQL injection can occur?



Example Code:



$db = new PDO(...);

//Notice how I'm not sanitizing $_GET, is this okay?
$query = $db->prepare("SELECT * FROM table WHERE Username = :username");
$query->bindValue(":username", $_GET["username"]);
$query->execute();
echo "Rows: " . $query->rowCount();

while($row = ...) {
echo $row["Username"];
}




This question already has an answer here:




  • How can I prevent SQL injection in PHP?

    28 answers



  • SQL injection that gets around mysql_real_escape_string()

    5 answers








php mysql pdo sql-injection






share|improve this question















share|improve this question













share|improve this question




share|improve this question








edited Nov 25 '18 at 19:54









Funk Forty Niner

1




1










asked Nov 25 '18 at 19:50









Lol BoiLol Boi

274




274




marked as duplicate by Shadow mysql
Users with the  mysql badge can single-handedly close mysql questions as duplicates and reopen them as needed.

StackExchange.ready(function() {
if (StackExchange.options.isMobile) return;

$('.dupe-hammer-message-hover:not(.hover-bound)').each(function() {
var $hover = $(this).addClass('hover-bound'),
$msg = $hover.siblings('.dupe-hammer-message');

$hover.hover(
function() {
$hover.showInfoMessage('', {
messageElement: $msg.clone().show(),
transient: false,
position: { my: 'bottom left', at: 'top center', offsetTop: -7 },
dismissable: false,
relativeToBody: true
});
},
function() {
StackExchange.helpers.removeMessages();
}
);
});
});
Nov 25 '18 at 19:55


This question has been asked before and already has an answer. If those answers do not fully address your question, please ask a new question.









marked as duplicate by Shadow mysql
Users with the  mysql badge can single-handedly close mysql questions as duplicates and reopen them as needed.

StackExchange.ready(function() {
if (StackExchange.options.isMobile) return;

$('.dupe-hammer-message-hover:not(.hover-bound)').each(function() {
var $hover = $(this).addClass('hover-bound'),
$msg = $hover.siblings('.dupe-hammer-message');

$hover.hover(
function() {
$hover.showInfoMessage('', {
messageElement: $msg.clone().show(),
transient: false,
position: { my: 'bottom left', at: 'top center', offsetTop: -7 },
dismissable: false,
relativeToBody: true
});
},
function() {
StackExchange.helpers.removeMessages();
}
);
});
});
Nov 25 '18 at 19:55


This question has been asked before and already has an answer. If those answers do not fully address your question, please ask a new question.










  • 1





    You may want to look at this Q&A here on Stack.

    – Funk Forty Niner
    Nov 25 '18 at 19:51











  • The accepted answer there is about a WRONG use of mysql_real_escape_string, which isn't even mentioned here.

    – Walter Tross
    Nov 25 '18 at 19:58






  • 1





    The parameters to prepared statements don't need to be quoted; the driver automatically handles this. If an application exclusively uses prepared statements, the developer can be sure that no SQL injection will occur (however, if other portions of the query are being built up with unescaped input, SQL injection is still possible). php.net/manual/en/pdo.prepared-statements.php

    – Alon Eitan
    Nov 25 '18 at 20:07













  • @WalterTross I think you should read more into it (the 2nd duplicate which I added). I too had mixed thoughts about that and another member here on Stack shone some light on the subject. Just because someone uses PDO with a prepared statement, doesn't mean they're not open to injection. If used correctly, mysql_real_escape_string() can be used to help against an sql injection. Fact of the matter, this is for any mysql api.

    – Funk Forty Niner
    Nov 25 '18 at 20:09











  • @FunkFortyNiner I disagree

    – Walter Tross
    Nov 26 '18 at 7:54














  • 1





    You may want to look at this Q&A here on Stack.

    – Funk Forty Niner
    Nov 25 '18 at 19:51











  • The accepted answer there is about a WRONG use of mysql_real_escape_string, which isn't even mentioned here.

    – Walter Tross
    Nov 25 '18 at 19:58






  • 1





    The parameters to prepared statements don't need to be quoted; the driver automatically handles this. If an application exclusively uses prepared statements, the developer can be sure that no SQL injection will occur (however, if other portions of the query are being built up with unescaped input, SQL injection is still possible). php.net/manual/en/pdo.prepared-statements.php

    – Alon Eitan
    Nov 25 '18 at 20:07













  • @WalterTross I think you should read more into it (the 2nd duplicate which I added). I too had mixed thoughts about that and another member here on Stack shone some light on the subject. Just because someone uses PDO with a prepared statement, doesn't mean they're not open to injection. If used correctly, mysql_real_escape_string() can be used to help against an sql injection. Fact of the matter, this is for any mysql api.

    – Funk Forty Niner
    Nov 25 '18 at 20:09











  • @FunkFortyNiner I disagree

    – Walter Tross
    Nov 26 '18 at 7:54








1




1





You may want to look at this Q&A here on Stack.

– Funk Forty Niner
Nov 25 '18 at 19:51





You may want to look at this Q&A here on Stack.

– Funk Forty Niner
Nov 25 '18 at 19:51













The accepted answer there is about a WRONG use of mysql_real_escape_string, which isn't even mentioned here.

– Walter Tross
Nov 25 '18 at 19:58





The accepted answer there is about a WRONG use of mysql_real_escape_string, which isn't even mentioned here.

– Walter Tross
Nov 25 '18 at 19:58




1




1





The parameters to prepared statements don't need to be quoted; the driver automatically handles this. If an application exclusively uses prepared statements, the developer can be sure that no SQL injection will occur (however, if other portions of the query are being built up with unescaped input, SQL injection is still possible). php.net/manual/en/pdo.prepared-statements.php

– Alon Eitan
Nov 25 '18 at 20:07







The parameters to prepared statements don't need to be quoted; the driver automatically handles this. If an application exclusively uses prepared statements, the developer can be sure that no SQL injection will occur (however, if other portions of the query are being built up with unescaped input, SQL injection is still possible). php.net/manual/en/pdo.prepared-statements.php

– Alon Eitan
Nov 25 '18 at 20:07















@WalterTross I think you should read more into it (the 2nd duplicate which I added). I too had mixed thoughts about that and another member here on Stack shone some light on the subject. Just because someone uses PDO with a prepared statement, doesn't mean they're not open to injection. If used correctly, mysql_real_escape_string() can be used to help against an sql injection. Fact of the matter, this is for any mysql api.

– Funk Forty Niner
Nov 25 '18 at 20:09





@WalterTross I think you should read more into it (the 2nd duplicate which I added). I too had mixed thoughts about that and another member here on Stack shone some light on the subject. Just because someone uses PDO with a prepared statement, doesn't mean they're not open to injection. If used correctly, mysql_real_escape_string() can be used to help against an sql injection. Fact of the matter, this is for any mysql api.

– Funk Forty Niner
Nov 25 '18 at 20:09













@FunkFortyNiner I disagree

– Walter Tross
Nov 26 '18 at 7:54





@FunkFortyNiner I disagree

– Walter Tross
Nov 26 '18 at 7:54












0






active

oldest

votes

















0






active

oldest

votes








0






active

oldest

votes









active

oldest

votes






active

oldest

votes

Popular posts from this blog

A CLEAN and SIMPLE way to add appendices to Table of Contents and bookmarks

Calculate evaluation metrics using cross_val_predict sklearn

Insert data from modal to MySQL (multiple modal on website)