i kept reading on sql injections after answering a guy on the subject and end up on this page: http://php.net/manual/en/pdo.prepared-statements.php
which i think is great for optimisation and i will probably apply on this portal im working on, but ...
what do you guys think about this prebuild template like versus sql injections ?
would you trust this prepared statement for security or you will still apply some security measures?
thx for your input
Hey, throwing this out there.
(I spend my time researching/developing Speech Algorithms so don't code much in PHP anymore) but I read an article that said that PDO removes the risk of SQL injections.. So probabily. There's a lot of debate to whether PDO or MYSQLI is more efficient etc.. :)
It reduces risk. Always validate your inputs. Don't blindly inject a value, even if you are binding it. It may be the wrong type and you end up with unexpected results.
copy that @pritaeas, thx
I agree with pritaeas, when it comes to security the more "layers" you can have the more secure you will be. While PDO helps to mitigate risk, there will always be unexpected input or ways discovered to circumvent that particular security check. For proper risk management I would alwyas verify user input against what it should be before sending it to be actioned.
Defence in Depth. php have VALIDATE and SANITIZE filters for common types. You could also force data (cast) to certain types. You could also use regex to check patterns.
http://www.php.net/manual/en/filter.filters.sanitize.php
http://www.php.net/manual/en/filter.filters.validate.php
Don't depend on the PDO::PARAM_* to cast your data as they don't seem to do much, bool/int conversions in the main.
We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.
