1

I am considering using a MySQL wrapper named Zebra_Database found here:

http://stefangabos.ro/php-libraries/zebra-database/

Can someone tell by the code if this protects against SQL injection or are there further steps I should take to protect myself?

Thanks!!

user390480
  • 1,655
  • 4
  • 28
  • 61
  • It encourages the use of prepared statements, which are not susceptible to sql injection. From the front page "It encourages developers to write maintainable code and provides a better default security layer by encouraging the use of prepared statements, where parameters are automatically escaped." – Benjamin Gruenbaum Mar 29 '13 at 18:51
  • So basically that just means to wrap each input with mysqli_real_escape_string? – user390480 Mar 29 '13 at 18:56
  • 1
    No, it means you should use prepared statements, which are not susceptible to SQL injection to begin with. – Benjamin Gruenbaum Mar 29 '13 at 22:43
  • @benjamin-gruenbaum Thank you. I'll mark this an the answer if you add it as an answer. – user390480 Mar 30 '13 at 15:19

2 Answers2

2

It encourages the use of prepared statements - the same limited version used by mysqli - so, it offers no 100% protection.
It uses some sort of query builder - so, it makes your SQL too inflexible (and - therefore - insecure again).

Personally I wouldn't use it, but for starter it's better than "wrap each input with mysqli_real_escape_string" anyway.

Your Common Sense
  • 156,878
  • 40
  • 214
  • 345
1

It encourages the use of prepared statements, which are not susceptible to SQL injection.

From the front page of Zebra_Database:

It encourages developers to write maintainable code and provides a better default security layer by encouraging the use of prepared statements, where parameters are automatically escaped.

Which means you should use prepared statements, which are not susceptible to SQL injection to begin with. See this question about the usage of prepared statements.

Community
  • 1
  • 1
Benjamin Gruenbaum
  • 270,886
  • 87
  • 504
  • 504