Is this really sql injection proof? [duplicate]












0
















This question already has an answer here:




  • How can I prevent SQL injection in PHP?

    28 answers



  • SQL injection that gets around mysql_real_escape_string()

    5 answers




So I have a UTF8MB4 database on phpMyAdmin for MySQL, and I'm using PDO in PHP for interacting with my database, and I really want to know, just to be 100% sure that the 'bindValue' function really escapes data, I've heard that the SQL Query and the data is sent differently but I want to know if it's true, is there any way 'bindValue' can be bypassed where SQL injection can occur?



Example Code:



$db = new PDO(...);



//Notice how I'm not sanitizing $_GET, is this okay?

$query = $db->prepare("SELECT * FROM table WHERE Username = :username");

$query->bindValue(":username", $_GET["username"]);

$query->execute();

echo "Rows: " . $query->rowCount();



while($row = ...) {

    echo $row["Username"];

}





php mysql pdo sql-injection







share|improve this question















marked as duplicate by Shadow mysql
Users with the  mysql badge can single-handedly close mysql questions as duplicates and reopen them as needed.

StackExchange.ready(function() {
if (StackExchange.options.isMobile) return;

$('.dupe-hammer-message-hover:not(.hover-bound)').each(function() {
var $hover = $(this).addClass('hover-bound'),
$msg = $hover.siblings('.dupe-hammer-message');

$hover.hover(
function() {
$hover.showInfoMessage('', {
messageElement: $msg.clone().show(),
transient: false,
position: { my: 'bottom left', at: 'top center', offsetTop: -7 },
dismissable: false,
relativeToBody: true
});
},
function() {
StackExchange.helpers.removeMessages();
}
);
});
});
 Nov 25 '18 at 19:55


This question has been asked before and already has an answer. If those answers do not fully address your question, please ask a new question.














  • 1





    You may want to look at this Q&A here on Stack.

    – Funk Forty Niner
    Nov 25 '18 at 19:51











  • The accepted answer there is about a WRONG use of mysql_real_escape_string, which isn't even mentioned here.

    – Walter Tross
    Nov 25 '18 at 19:58






  • 1





    The parameters to prepared statements don't need to be quoted; the driver automatically handles this. If an application exclusively uses prepared statements, the developer can be sure that no SQL injection will occur (however, if other portions of the query are being built up with unescaped input, SQL injection is still possible). php.net/manual/en/pdo.prepared-statements.php

    – Alon Eitan
    Nov 25 '18 at 20:07













  • @WalterTross I think you should read more into it (the 2nd duplicate which I added). I too had mixed thoughts about that and another member here on Stack shone some light on the subject. Just because someone uses PDO with a prepared statement, doesn't mean they're not open to injection. If used correctly, mysql_real_escape_string() can be used to help against an sql injection. Fact of the matter, this is for any mysql api.

    – Funk Forty Niner
    Nov 25 '18 at 20:09











  • @FunkFortyNiner I disagree

    – Walter Tross
    Nov 26 '18 at 7:54
















0
















This question already has an answer here:




  • How can I prevent SQL injection in PHP?

    28 answers



  • SQL injection that gets around mysql_real_escape_string()

    5 answers




So I have a UTF8MB4 database on phpMyAdmin for MySQL, and I'm using PDO in PHP for interacting with my database, and I really want to know, just to be 100% sure that the 'bindValue' function really escapes data, I've heard that the SQL Query and the data is sent differently but I want to know if it's true, is there any way 'bindValue' can be bypassed where SQL injection can occur?



Example Code:



$db = new PDO(...);



//Notice how I'm not sanitizing $_GET, is this okay?

$query = $db->prepare("SELECT * FROM table WHERE Username = :username");

$query->bindValue(":username", $_GET["username"]);

$query->execute();

echo "Rows: " . $query->rowCount();



while($row = ...) {

    echo $row["Username"];

}





php mysql pdo sql-injection







share|improve this question















marked as duplicate by Shadow mysql
Users with the  mysql badge can single-handedly close mysql questions as duplicates and reopen them as needed.

StackExchange.ready(function() {
if (StackExchange.options.isMobile) return;

$('.dupe-hammer-message-hover:not(.hover-bound)').each(function() {
var $hover = $(this).addClass('hover-bound'),
$msg = $hover.siblings('.dupe-hammer-message');

$hover.hover(
function() {
$hover.showInfoMessage('', {
messageElement: $msg.clone().show(),
transient: false,
position: { my: 'bottom left', at: 'top center', offsetTop: -7 },
dismissable: false,
relativeToBody: true
});
},
function() {
StackExchange.helpers.removeMessages();
}
);
});
});
 Nov 25 '18 at 19:55


This question has been asked before and already has an answer. If those answers do not fully address your question, please ask a new question.














  • 1





    You may want to look at this Q&A here on Stack.

    – Funk Forty Niner
    Nov 25 '18 at 19:51











  • The accepted answer there is about a WRONG use of mysql_real_escape_string, which isn't even mentioned here.

    – Walter Tross
    Nov 25 '18 at 19:58






  • 1





    The parameters to prepared statements don't need to be quoted; the driver automatically handles this. If an application exclusively uses prepared statements, the developer can be sure that no SQL injection will occur (however, if other portions of the query are being built up with unescaped input, SQL injection is still possible). php.net/manual/en/pdo.prepared-statements.php

    – Alon Eitan
    Nov 25 '18 at 20:07













  • @WalterTross I think you should read more into it (the 2nd duplicate which I added). I too had mixed thoughts about that and another member here on Stack shone some light on the subject. Just because someone uses PDO with a prepared statement, doesn't mean they're not open to injection. If used correctly, mysql_real_escape_string() can be used to help against an sql injection. Fact of the matter, this is for any mysql api.

    – Funk Forty Niner
    Nov 25 '18 at 20:09











  • @FunkFortyNiner I disagree

    – Walter Tross
    Nov 26 '18 at 7:54














0












0








0


1







This question already has an answer here:




  • How can I prevent SQL injection in PHP?

    28 answers



  • SQL injection that gets around mysql_real_escape_string()

    5 answers




So I have a UTF8MB4 database on phpMyAdmin for MySQL, and I'm using PDO in PHP for interacting with my database, and I really want to know, just to be 100% sure that the 'bindValue' function really escapes data, I've heard that the SQL Query and the data is sent differently but I want to know if it's true, is there any way 'bindValue' can be bypassed where SQL injection can occur?



Example Code:



$db = new PDO(...);



//Notice how I'm not sanitizing $_GET, is this okay?

$query = $db->prepare("SELECT * FROM table WHERE Username = :username");

$query->bindValue(":username", $_GET["username"]);

$query->execute();

echo "Rows: " . $query->rowCount();



while($row = ...) {

    echo $row["Username"];

}





php mysql pdo sql-injection







share|improve this question

















This question already has an answer here:




  • How can I prevent SQL injection in PHP?

    28 answers



  • SQL injection that gets around mysql_real_escape_string()

    5 answers




So I have a UTF8MB4 database on phpMyAdmin for MySQL, and I'm using PDO in PHP for interacting with my database, and I really want to know, just to be 100% sure that the 'bindValue' function really escapes data, I've heard that the SQL Query and the data is sent differently but I want to know if it's true, is there any way 'bindValue' can be bypassed where SQL injection can occur?



Example Code:



$db = new PDO(...);



//Notice how I'm not sanitizing $_GET, is this okay?

$query = $db->prepare("SELECT * FROM table WHERE Username = :username");

$query->bindValue(":username", $_GET["username"]);

$query->execute();

echo "Rows: " . $query->rowCount();



while($row = ...) {

    echo $row["Username"];

}




This question already has an answer here:




  • How can I prevent SQL injection in PHP?

    28 answers



  • SQL injection that gets around mysql_real_escape_string()

    5 answers







php mysql pdo sql-injection




php mysql pdo sql-injection






share|improve this question















share|improve this question













share|improve this question




share|improve this question








edited Nov 25 '18 at 19:54









Funk Forty Niner

1




1










asked Nov 25 '18 at 19:50









Lol BoiLol Boi

274




274




marked as duplicate by Shadow mysql
Users with the  mysql badge can single-handedly close mysql questions as duplicates and reopen them as needed.

StackExchange.ready(function() {
if (StackExchange.options.isMobile) return;

$('.dupe-hammer-message-hover:not(.hover-bound)').each(function() {
var $hover = $(this).addClass('hover-bound'),
$msg = $hover.siblings('.dupe-hammer-message');

$hover.hover(
function() {
$hover.showInfoMessage('', {
messageElement: $msg.clone().show(),
transient: false,
position: { my: 'bottom left', at: 'top center', offsetTop: -7 },
dismissable: false,
relativeToBody: true
});
},
function() {
StackExchange.helpers.removeMessages();
}
);
});
});
 Nov 25 '18 at 19:55


This question has been asked before and already has an answer. If those answers do not fully address your question, please ask a new question.









marked as duplicate by Shadow mysql
Users with the  mysql badge can single-handedly close mysql questions as duplicates and reopen them as needed.

StackExchange.ready(function() {
if (StackExchange.options.isMobile) return;

$('.dupe-hammer-message-hover:not(.hover-bound)').each(function() {
var $hover = $(this).addClass('hover-bound'),
$msg = $hover.siblings('.dupe-hammer-message');

$hover.hover(
function() {
$hover.showInfoMessage('', {
messageElement: $msg.clone().show(),
transient: false,
position: { my: 'bottom left', at: 'top center', offsetTop: -7 },
dismissable: false,
relativeToBody: true
});
},
function() {
StackExchange.helpers.removeMessages();
}
);
});
});
 Nov 25 '18 at 19:55


This question has been asked before and already has an answer. If those answers do not fully address your question, please ask a new question.










  • 1





    You may want to look at this Q&A here on Stack.

    – Funk Forty Niner
    Nov 25 '18 at 19:51











  • The accepted answer there is about a WRONG use of mysql_real_escape_string, which isn't even mentioned here.

    – Walter Tross
    Nov 25 '18 at 19:58






  • 1





    The parameters to prepared statements don't need to be quoted; the driver automatically handles this. If an application exclusively uses prepared statements, the developer can be sure that no SQL injection will occur (however, if other portions of the query are being built up with unescaped input, SQL injection is still possible). php.net/manual/en/pdo.prepared-statements.php

    – Alon Eitan
    Nov 25 '18 at 20:07













  • @WalterTross I think you should read more into it (the 2nd duplicate which I added). I too had mixed thoughts about that and another member here on Stack shone some light on the subject. Just because someone uses PDO with a prepared statement, doesn't mean they're not open to injection. If used correctly, mysql_real_escape_string() can be used to help against an sql injection. Fact of the matter, this is for any mysql api.

    – Funk Forty Niner
    Nov 25 '18 at 20:09











  • @FunkFortyNiner I disagree

    – Walter Tross
    Nov 26 '18 at 7:54














  • 1





    You may want to look at this Q&A here on Stack.

    – Funk Forty Niner
    Nov 25 '18 at 19:51











  • The accepted answer there is about a WRONG use of mysql_real_escape_string, which isn't even mentioned here.

    – Walter Tross
    Nov 25 '18 at 19:58






  • 1





    The parameters to prepared statements don't need to be quoted; the driver automatically handles this. If an application exclusively uses prepared statements, the developer can be sure that no SQL injection will occur (however, if other portions of the query are being built up with unescaped input, SQL injection is still possible). php.net/manual/en/pdo.prepared-statements.php

    – Alon Eitan
    Nov 25 '18 at 20:07













  • @WalterTross I think you should read more into it (the 2nd duplicate which I added). I too had mixed thoughts about that and another member here on Stack shone some light on the subject. Just because someone uses PDO with a prepared statement, doesn't mean they're not open to injection. If used correctly, mysql_real_escape_string() can be used to help against an sql injection. Fact of the matter, this is for any mysql api.

    – Funk Forty Niner
    Nov 25 '18 at 20:09











  • @FunkFortyNiner I disagree

    – Walter Tross
    Nov 26 '18 at 7:54








1




1





You may want to look at this Q&A here on Stack.

– Funk Forty Niner
Nov 25 '18 at 19:51





You may want to look at this Q&A here on Stack.

– Funk Forty Niner
Nov 25 '18 at 19:51













The accepted answer there is about a WRONG use of mysql_real_escape_string, which isn't even mentioned here.

– Walter Tross
Nov 25 '18 at 19:58





The accepted answer there is about a WRONG use of mysql_real_escape_string, which isn't even mentioned here.

– Walter Tross
Nov 25 '18 at 19:58




1




1





The parameters to prepared statements don't need to be quoted; the driver automatically handles this. If an application exclusively uses prepared statements, the developer can be sure that no SQL injection will occur (however, if other portions of the query are being built up with unescaped input, SQL injection is still possible). php.net/manual/en/pdo.prepared-statements.php

– Alon Eitan
Nov 25 '18 at 20:07







The parameters to prepared statements don't need to be quoted; the driver automatically handles this. If an application exclusively uses prepared statements, the developer can be sure that no SQL injection will occur (however, if other portions of the query are being built up with unescaped input, SQL injection is still possible). php.net/manual/en/pdo.prepared-statements.php

– Alon Eitan
Nov 25 '18 at 20:07















@WalterTross I think you should read more into it (the 2nd duplicate which I added). I too had mixed thoughts about that and another member here on Stack shone some light on the subject. Just because someone uses PDO with a prepared statement, doesn't mean they're not open to injection. If used correctly, mysql_real_escape_string() can be used to help against an sql injection. Fact of the matter, this is for any mysql api.

– Funk Forty Niner
Nov 25 '18 at 20:09





@WalterTross I think you should read more into it (the 2nd duplicate which I added). I too had mixed thoughts about that and another member here on Stack shone some light on the subject. Just because someone uses PDO with a prepared statement, doesn't mean they're not open to injection. If used correctly, mysql_real_escape_string() can be used to help against an sql injection. Fact of the matter, this is for any mysql api.

– Funk Forty Niner
Nov 25 '18 at 20:09













@FunkFortyNiner I disagree

– Walter Tross
Nov 26 '18 at 7:54





@FunkFortyNiner I disagree

– Walter Tross
Nov 26 '18 at 7:54












0






active

oldest

votes

















0






active

oldest

votes








0






active

oldest

votes









active

oldest

votes






active

oldest

votes

-

Popular posts from this blog

Contact image not getting when fetch all contact list from iPhone by CNContact

Image
up vote 0 down vote favorite I know this question already asked but not getting solution. From this code I will get all the information from the contact but image not found when open vcf files on mac os, also not getting when share this file. I use this stackoverflow link here but It's not help full. var contacts = [CNContact]() let keys = [CNContactVCardSerialization.descriptorForRequiredKeys() ] as [Any] let request = CNContactFetchRequest(keysToFetch: keys as! [CNKeyDescriptor]) do { try self.contactStore.enumerateContacts(with: request) { (contact, stop) in // Array containing all unified contacts from everywhere contacts.append(contact) } } catch { print("unable to fetch contacts") } do { let data = try
Read more

count number of partitions of a set with n elements into k subsets

Image
up vote 6 down vote favorite 1 This program is for count number of partitions of a set with n elements into k subsets I am confusing here return k*countP(n-1, k) + countP(n-1, k-1); can some one explain what is happening here? why we are multiplying with k? NOTE->I know this is not the best way to calculate number of partitions that would be DP // A C++ program to count number of partitions // of a set with n elements into k subsets #include<iostream> using namespace std; // Returns count of different partitions of n // elements in k subsets int countP(int n, int k) { // Base cases if (n == 0 || k == 0 || k > n) return 0; if (k == 1 || k == n) return 1; // S(n+1, k) = k*S(n, k) + S(n, k-1) return k*countP(n-1, k) + countP(n-1, k-1); } // Driver program int ma
Read more

A CLEAN and SIMPLE way to add appendices to Table of Contents and bookmarks

Image
0 I found a lot of questions abount appendices and ToC. Many users want appendices to be grouped in an Appendix part, however some problems arise with ToC, hyperref, PDF viewer bookmarks, and so on. There are different solutions which require extra packages, command patching and other extra code, however none of them satisfies me. I almost found an easy way to accomplish a good result, where appendices are added to bookmarks in the right way and hyperref links point to the right page. However, the number of the "Appendix" part page is wrong (it's the number of appendix A). Is there any EASY way to fix that? This is a MWE: documentclass{book} usepackage[nottoc,notlot,notlof]{tocbibind} usepackage{hyperref} begin{document} frontmatter tableofcontents mainmatter part{First} chapter{
Read more