2

Are PHP PDO statements automatically escaped, or only prepared statements?

For example, assume that $username and $password are user inputs. Is the following code secure, or is it vulnerable to injection?

$dbh = new PDO("mysql:host=localhost;dbname=mydb", $my_mysql_username, $my_mysql_password);
$sth = $dbh->query("SELECT * FROM users WHERE username='$username' AND password='$password'");
$result = $sth->fetch();
if(!$result){
    $dbh->exec("INSERT INTO users (username, password) VALUES ('$username', '$password')");
}

(The above code is purely hypothetical, for example purposes only.)

If they are not automatically escaped, does PDO provide any extra protection over the mysql_ functions in this situation?

HellaMad
  • 5,294
  • 6
  • 31
  • 53
  • 1
    AFAIK they are not, because how would it know what part of the query string to escape? It will otherwise accidentally escape intended quotes. – kittycat Nov 25 '12 at 03:47

2 Answers2

5

Only prepared statements provide automagic escaping, assuming you don't have some ugliness like magic quotes enabled. And only the data in the params is escaped, not anything that's already in the SQL string when you prepare the statement.

If you want the benefits of auto escaping, you'll have to prepare a statement and feed it the data separately.

$sth = $dbh->prepare("SELECT * FROM users WHERE username=? AND password=?");
$sth->execute(array($username, $password));

Otherwise, you get little to no protection over mysqli_query and friends. (I refuse to even mention mysql_query, because no self-respecting PHP programmer uses it anymore. Oh, wait..damn. Well, that's the only mention it gets here.)

cHao
  • 84,970
  • 20
  • 145
  • 172
3

They are not escaped. You can see examples here:

http://www.phptherightway.com/#pdo

ChocoDeveloper
  • 14,160
  • 26
  • 79
  • 117