Is this really sql injection proof? [duplicate]
This question already has an answer here:
How can I prevent SQL injection in PHP?
28 answers
SQL injection that gets around mysql_real_escape_string()
5 answers
So I have a UTF8MB4 database on phpMyAdmin for MySQL, and I'm using PDO in PHP for interacting with my database, and I really want to know, just to be 100% sure that the 'bindValue' function really escapes data, I've heard that the SQL Query and the data is sent differently but I want to know if it's true, is there any way 'bindValue' can be bypassed where SQL injection can occur?
Example Code:
$db = new PDO(...);
//Notice how I'm not sanitizing $_GET, is this okay?
$query = $db->prepare("SELECT * FROM table WHERE Username = :username");
$query->bindValue(":username", $_GET["username"]);
$query->execute();
echo "Rows: " . $query->rowCount();
while($row = ...) {
echo $row["Username"];
}
php mysql pdo sql-injection
marked as duplicate by Shadow
StackExchange.ready(function() {
if (StackExchange.options.isMobile) return;
$('.dupe-hammer-message-hover:not(.hover-bound)').each(function() {
var $hover = $(this).addClass('hover-bound'),
$msg = $hover.siblings('.dupe-hammer-message');
$hover.hover(
function() {
$hover.showInfoMessage('', {
messageElement: $msg.clone().show(),
transient: false,
position: { my: 'bottom left', at: 'top center', offsetTop: -7 },
dismissable: false,
relativeToBody: true
});
},
function() {
StackExchange.helpers.removeMessages();
}
);
});
});
Nov 25 '18 at 19:55
This question has been asked before and already has an answer. If those answers do not fully address your question, please ask a new question.
|
show 1 more comment
This question already has an answer here:
How can I prevent SQL injection in PHP?
28 answers
SQL injection that gets around mysql_real_escape_string()
5 answers
So I have a UTF8MB4 database on phpMyAdmin for MySQL, and I'm using PDO in PHP for interacting with my database, and I really want to know, just to be 100% sure that the 'bindValue' function really escapes data, I've heard that the SQL Query and the data is sent differently but I want to know if it's true, is there any way 'bindValue' can be bypassed where SQL injection can occur?
Example Code:
$db = new PDO(...);
//Notice how I'm not sanitizing $_GET, is this okay?
$query = $db->prepare("SELECT * FROM table WHERE Username = :username");
$query->bindValue(":username", $_GET["username"]);
$query->execute();
echo "Rows: " . $query->rowCount();
while($row = ...) {
echo $row["Username"];
}
php mysql pdo sql-injection
marked as duplicate by Shadow
StackExchange.ready(function() {
if (StackExchange.options.isMobile) return;
$('.dupe-hammer-message-hover:not(.hover-bound)').each(function() {
var $hover = $(this).addClass('hover-bound'),
$msg = $hover.siblings('.dupe-hammer-message');
$hover.hover(
function() {
$hover.showInfoMessage('', {
messageElement: $msg.clone().show(),
transient: false,
position: { my: 'bottom left', at: 'top center', offsetTop: -7 },
dismissable: false,
relativeToBody: true
});
},
function() {
StackExchange.helpers.removeMessages();
}
);
});
});
Nov 25 '18 at 19:55
This question has been asked before and already has an answer. If those answers do not fully address your question, please ask a new question.
1
You may want to look at this Q&A here on Stack.
– Funk Forty Niner
Nov 25 '18 at 19:51
The accepted answer there is about a WRONG use ofmysql_real_escape_string
, which isn't even mentioned here.
– Walter Tross
Nov 25 '18 at 19:58
1
The parameters to prepared statements don't need to be quoted; the driver automatically handles this. If an application exclusively uses prepared statements, the developer can be sure that no SQL injection will occur (however, if other portions of the query are being built up with unescaped input, SQL injection is still possible). php.net/manual/en/pdo.prepared-statements.php
– Alon Eitan
Nov 25 '18 at 20:07
@WalterTross I think you should read more into it (the 2nd duplicate which I added). I too had mixed thoughts about that and another member here on Stack shone some light on the subject. Just because someone uses PDO with a prepared statement, doesn't mean they're not open to injection. If used correctly,mysql_real_escape_string()
can be used to help against an sql injection. Fact of the matter, this is for any mysql api.
– Funk Forty Niner
Nov 25 '18 at 20:09
@FunkFortyNiner I disagree
– Walter Tross
Nov 26 '18 at 7:54
|
show 1 more comment
This question already has an answer here:
How can I prevent SQL injection in PHP?
28 answers
SQL injection that gets around mysql_real_escape_string()
5 answers
So I have a UTF8MB4 database on phpMyAdmin for MySQL, and I'm using PDO in PHP for interacting with my database, and I really want to know, just to be 100% sure that the 'bindValue' function really escapes data, I've heard that the SQL Query and the data is sent differently but I want to know if it's true, is there any way 'bindValue' can be bypassed where SQL injection can occur?
Example Code:
$db = new PDO(...);
//Notice how I'm not sanitizing $_GET, is this okay?
$query = $db->prepare("SELECT * FROM table WHERE Username = :username");
$query->bindValue(":username", $_GET["username"]);
$query->execute();
echo "Rows: " . $query->rowCount();
while($row = ...) {
echo $row["Username"];
}
php mysql pdo sql-injection
This question already has an answer here:
How can I prevent SQL injection in PHP?
28 answers
SQL injection that gets around mysql_real_escape_string()
5 answers
So I have a UTF8MB4 database on phpMyAdmin for MySQL, and I'm using PDO in PHP for interacting with my database, and I really want to know, just to be 100% sure that the 'bindValue' function really escapes data, I've heard that the SQL Query and the data is sent differently but I want to know if it's true, is there any way 'bindValue' can be bypassed where SQL injection can occur?
Example Code:
$db = new PDO(...);
//Notice how I'm not sanitizing $_GET, is this okay?
$query = $db->prepare("SELECT * FROM table WHERE Username = :username");
$query->bindValue(":username", $_GET["username"]);
$query->execute();
echo "Rows: " . $query->rowCount();
while($row = ...) {
echo $row["Username"];
}
This question already has an answer here:
How can I prevent SQL injection in PHP?
28 answers
SQL injection that gets around mysql_real_escape_string()
5 answers
php mysql pdo sql-injection
php mysql pdo sql-injection
edited Nov 25 '18 at 19:54
Funk Forty Niner
1
1
asked Nov 25 '18 at 19:50
Lol BoiLol Boi
274
274
marked as duplicate by Shadow
StackExchange.ready(function() {
if (StackExchange.options.isMobile) return;
$('.dupe-hammer-message-hover:not(.hover-bound)').each(function() {
var $hover = $(this).addClass('hover-bound'),
$msg = $hover.siblings('.dupe-hammer-message');
$hover.hover(
function() {
$hover.showInfoMessage('', {
messageElement: $msg.clone().show(),
transient: false,
position: { my: 'bottom left', at: 'top center', offsetTop: -7 },
dismissable: false,
relativeToBody: true
});
},
function() {
StackExchange.helpers.removeMessages();
}
);
});
});
Nov 25 '18 at 19:55
This question has been asked before and already has an answer. If those answers do not fully address your question, please ask a new question.
marked as duplicate by Shadow
StackExchange.ready(function() {
if (StackExchange.options.isMobile) return;
$('.dupe-hammer-message-hover:not(.hover-bound)').each(function() {
var $hover = $(this).addClass('hover-bound'),
$msg = $hover.siblings('.dupe-hammer-message');
$hover.hover(
function() {
$hover.showInfoMessage('', {
messageElement: $msg.clone().show(),
transient: false,
position: { my: 'bottom left', at: 'top center', offsetTop: -7 },
dismissable: false,
relativeToBody: true
});
},
function() {
StackExchange.helpers.removeMessages();
}
);
});
});
Nov 25 '18 at 19:55
This question has been asked before and already has an answer. If those answers do not fully address your question, please ask a new question.
1
You may want to look at this Q&A here on Stack.
– Funk Forty Niner
Nov 25 '18 at 19:51
The accepted answer there is about a WRONG use ofmysql_real_escape_string
, which isn't even mentioned here.
– Walter Tross
Nov 25 '18 at 19:58
1
The parameters to prepared statements don't need to be quoted; the driver automatically handles this. If an application exclusively uses prepared statements, the developer can be sure that no SQL injection will occur (however, if other portions of the query are being built up with unescaped input, SQL injection is still possible). php.net/manual/en/pdo.prepared-statements.php
– Alon Eitan
Nov 25 '18 at 20:07
@WalterTross I think you should read more into it (the 2nd duplicate which I added). I too had mixed thoughts about that and another member here on Stack shone some light on the subject. Just because someone uses PDO with a prepared statement, doesn't mean they're not open to injection. If used correctly,mysql_real_escape_string()
can be used to help against an sql injection. Fact of the matter, this is for any mysql api.
– Funk Forty Niner
Nov 25 '18 at 20:09
@FunkFortyNiner I disagree
– Walter Tross
Nov 26 '18 at 7:54
|
show 1 more comment
1
You may want to look at this Q&A here on Stack.
– Funk Forty Niner
Nov 25 '18 at 19:51
The accepted answer there is about a WRONG use ofmysql_real_escape_string
, which isn't even mentioned here.
– Walter Tross
Nov 25 '18 at 19:58
1
The parameters to prepared statements don't need to be quoted; the driver automatically handles this. If an application exclusively uses prepared statements, the developer can be sure that no SQL injection will occur (however, if other portions of the query are being built up with unescaped input, SQL injection is still possible). php.net/manual/en/pdo.prepared-statements.php
– Alon Eitan
Nov 25 '18 at 20:07
@WalterTross I think you should read more into it (the 2nd duplicate which I added). I too had mixed thoughts about that and another member here on Stack shone some light on the subject. Just because someone uses PDO with a prepared statement, doesn't mean they're not open to injection. If used correctly,mysql_real_escape_string()
can be used to help against an sql injection. Fact of the matter, this is for any mysql api.
– Funk Forty Niner
Nov 25 '18 at 20:09
@FunkFortyNiner I disagree
– Walter Tross
Nov 26 '18 at 7:54
1
1
You may want to look at this Q&A here on Stack.
– Funk Forty Niner
Nov 25 '18 at 19:51
You may want to look at this Q&A here on Stack.
– Funk Forty Niner
Nov 25 '18 at 19:51
The accepted answer there is about a WRONG use of
mysql_real_escape_string
, which isn't even mentioned here.– Walter Tross
Nov 25 '18 at 19:58
The accepted answer there is about a WRONG use of
mysql_real_escape_string
, which isn't even mentioned here.– Walter Tross
Nov 25 '18 at 19:58
1
1
The parameters to prepared statements don't need to be quoted; the driver automatically handles this. If an application exclusively uses prepared statements, the developer can be sure that no SQL injection will occur (however, if other portions of the query are being built up with unescaped input, SQL injection is still possible). php.net/manual/en/pdo.prepared-statements.php
– Alon Eitan
Nov 25 '18 at 20:07
The parameters to prepared statements don't need to be quoted; the driver automatically handles this. If an application exclusively uses prepared statements, the developer can be sure that no SQL injection will occur (however, if other portions of the query are being built up with unescaped input, SQL injection is still possible). php.net/manual/en/pdo.prepared-statements.php
– Alon Eitan
Nov 25 '18 at 20:07
@WalterTross I think you should read more into it (the 2nd duplicate which I added). I too had mixed thoughts about that and another member here on Stack shone some light on the subject. Just because someone uses PDO with a prepared statement, doesn't mean they're not open to injection. If used correctly,
mysql_real_escape_string()
can be used to help against an sql injection. Fact of the matter, this is for any mysql api.– Funk Forty Niner
Nov 25 '18 at 20:09
@WalterTross I think you should read more into it (the 2nd duplicate which I added). I too had mixed thoughts about that and another member here on Stack shone some light on the subject. Just because someone uses PDO with a prepared statement, doesn't mean they're not open to injection. If used correctly,
mysql_real_escape_string()
can be used to help against an sql injection. Fact of the matter, this is for any mysql api.– Funk Forty Niner
Nov 25 '18 at 20:09
@FunkFortyNiner I disagree
– Walter Tross
Nov 26 '18 at 7:54
@FunkFortyNiner I disagree
– Walter Tross
Nov 26 '18 at 7:54
|
show 1 more comment
0
active
oldest
votes
0
active
oldest
votes
0
active
oldest
votes
active
oldest
votes
active
oldest
votes
1
You may want to look at this Q&A here on Stack.
– Funk Forty Niner
Nov 25 '18 at 19:51
The accepted answer there is about a WRONG use of
mysql_real_escape_string
, which isn't even mentioned here.– Walter Tross
Nov 25 '18 at 19:58
1
The parameters to prepared statements don't need to be quoted; the driver automatically handles this. If an application exclusively uses prepared statements, the developer can be sure that no SQL injection will occur (however, if other portions of the query are being built up with unescaped input, SQL injection is still possible). php.net/manual/en/pdo.prepared-statements.php
– Alon Eitan
Nov 25 '18 at 20:07
@WalterTross I think you should read more into it (the 2nd duplicate which I added). I too had mixed thoughts about that and another member here on Stack shone some light on the subject. Just because someone uses PDO with a prepared statement, doesn't mean they're not open to injection. If used correctly,
mysql_real_escape_string()
can be used to help against an sql injection. Fact of the matter, this is for any mysql api.– Funk Forty Niner
Nov 25 '18 at 20:09
@FunkFortyNiner I disagree
– Walter Tross
Nov 26 '18 at 7:54