0

So recently I heard PDO actually isn't safe unless you know exactly what you're doing, or in my case, copy/pasting. Not only that, I didn't know you can't trust your own database either from an attack.. So well, it doesn't feel too right to ask what I'm asking, but I need to make sure I'm safe before it's too late. Not only that, I'm making a game website where users can save their games and when you lose save game data, a lot of us know that it really really sucks. Here is what my PDO connection currently looks like:

$DataB = new PDO( 'mysql:dbname = dbname; host = host.host.host; charset = utf8', 'username', 'password' );
$DataB -> setAttribute( PDO::ATTR_EMULATE_PREPARES, false );
$DataB -> setAttribute( PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION );

Honestly, all I know is that it's PDO, and works. Is this pretty much safe to use if I don't change it? Also, what about when I'm inserting data? Well, like this:

$a = $DataB -> prepare( "INSERT INTO `names` (`first`,`last`) VALUES (?,?)" );
$a -> execute( array( $FirstName, $LastName ) );

Now to be honest I'm not too sure if I wrote that correctly, but thats only because I have it in a personal function I made and it would take awhile before I can decode it (the same with the following below too). Now for updating, I've been using this:

$DataB -> prepare( "UPDATE `names` SET :fn WHERE id = :a" ) -> execute( array( ':a' => $IDnumber, ':fn' => $NewFname ) );

which is kind of the same, but it works on one line. I'm not sure if it matters, but I'm not a genius. But I always prefer shorter codes when possible. Now my select one:

$a = $DataB -> prepare( "SELECT * FROM `names` WHERE `password` = :pw AND `email` = :e " );
$a -> execute( array( ':pw' => $_COOKIE['password'], ':e' => $_COOKIE['email'] ) );
while ( $b = $a -> fetch( PDO::FETCH_ASSOC ) ) { $Fname = $b['first'] }
echo $Fname;//<-filtered html in real life

Which makes me wonder if there's any filters I'm missing for the PDO's I have, since I heard I can't trust my own database either. Now, that's pretty much my database user stuff with nothing extra missing (well, nothing important missing). And yes I have read this on this website which sort of says you can't prevent a certain attack before PHP 5.3.6, but my website only has PHP 5.3.0. Or, that's what a live person I just asked said. But still, I'm not certain if how I use my database is even the proper way to use it. For when I insert, update, and select/other user made data when who knows what it looks like.

So long story short, I need to make sure this works in PHP 5.3.0. And doesn't mess up anything important with random user made data.

Community
  • 1
  • 1
Hybrilynx
  • 185
  • 1
  • 2
  • 9
  • 1
    Sounds more like a question for http://codereview.stackexchange.com, not a concrete technical question. – deceze Apr 17 '13 at 05:52
  • 1
    ^ It does but I did not know that website existed. Everytime I search problems on google only this website ever has the answers. Although, both website does kind of feel the same. The other one just seems like 'lets-chat'. While this is feels like, 'post-your-problem'. I will review that website more though I guess. – Hybrilynx Apr 17 '13 at 06:04
  • Stackoverflow is like an index of typical programming problems; if you have a specific error message or common problem, there should be an answer for it on Stackoverflow. *Your* question is more of a personalized *"can I please have a second set of eyes look at this"* question, which does not necessarily help anyone coming here in the future and just clogs up the system. Codereview was made specifically for these kinds of questions. – deceze Apr 17 '13 at 06:09
  • As a matter of fact, it's just a dead site. You scarcely can get a single answer there. You know, it's virtual reality in which some people live. They diligently issue some laws and orders but never have an idea that neither of them actually works. One of such issues is "this code belongs to code review". While you'd never get a useful answer there. Yet on SO you have a chance, if I spot your question and have time to write an answer before it gets closed – Your Common Sense Apr 17 '13 at 06:09
  • @Your Codereview may not be as active as Stackoverflow, but then *nothing is!* SO on the other hand is overflowing with stuff (pun partly intended) and is losing its focus. If you don't try to enforce some sort of structure and categorizing, SO will become useless for its main purpose: help solve *common* problems *for everyone*. (It's arguably already too late, finding a canonical, *right* answer for certain problems is already virtually impossible.) – deceze Apr 17 '13 at 06:12
  • @deceze You know, I am mighty agree with this latter sentence. Nevertheless, it's very **virtual rules that never works** I am talking about responsible for the situation. One have to cure disease, not symptom. But because it's impossible to move those big guys in charge even a bit from their position - I just gave up. This site **is** an endless assembly line of answering identical questions. Nothing can be do. So, all I can do is just to join the flow and let it go, trying to share some knowledge. – Your Common Sense Apr 17 '13 at 06:26
  • @Your I don't think it's a problem of moving "those big guys in charge", it's a problem of everyone and their brother coming here to ask whatever seems appropriate to them without trying to understand what the philosophy behind this site is. "The big guys" are *trying* to direct people into the right lanes, but it's like a parking lot attendant vs. a typhoon. I'd agree that trying to fight it is almost impossible, but one can try, no? – deceze Apr 17 '13 at 06:33
  • @deceze their methods are proven to be ineffective and they themselves prefer to close their eyes, pretending that there is no problem at all. Also, you just raised another important point. This site's philosophy is **extremely contradictory**. There is no consistent code or policy but just a set of random rules which contradicts with each other. So, for whatever particular case there could be more than one opposite interpretation. Sometimes it is driving me nuts, as you know. But I am trying my best to hold the rein :) – Your Common Sense Apr 17 '13 at 06:42
  • @Your Meh, you may be right. I'm probably of the old guard, having followed the concept of this site since before it launched. I guess nobody really remembers that anymore. Uphill in the snow, both ways, etc. – deceze Apr 17 '13 at 06:52

1 Answers1

2

PDO actually isn't safe unless you know exactly what you're doing,

That's right. Not only for PDO, though.

when you lose save game data, a lot of us know that it really really sucks.

backup it.

Here is what my PDO connection currently looks like:

Here is how it should be looking like

Is this pretty much safe to use if I don't change it?

yes. in terms of safety - yes. You can keep that ATTR_EMULATE thing though. It doesn't matter too much either way.

Also, what about when I'm inserting data?

As long as you can add your data in the query via placeholder, it is perfectly safe.
Troubles starts from where you can't use a placeholder. For a field name for example. In the above link you can find a solution.

$DataB -> prepare( "UPDATE names SET :fn WHERE id = :a" )

This query contains an SQL syntax error.

I always prefer shorter codes when possible.

You have it actually long. "Short" doesn't mean "readable". Readable doesn't mean "stuff as many operators in one line as you can".
You made your code hard to read.

To make it readable, write vertically, not horizontally.

To make it real short, create a helper function to be used like this:

$sql   = "SELECT * FROM `names` WHERE `password` = ? AND `email` = ?";
$Fname = $DB->getOne($sql, $_COOKIE['password'], $_COOKIE['email']);

see - it is both short and readable. Isn't it?

while ( $b = $a -> fetch( PDO::FETCH_ASSOC ) ) { $Fname = $b['first'] }

Manual is your friend

$Fname = $a->fetchColumn();

it have to be. Or at least make it without while.

since I heard I can't trust my own database either.

As long as you can add your data in the query via placeholder, no matter of it's source, it is perfectly safe. Means you don't have to trust or don't trust or think of data source or safety at all. Just follow the rules.

And yes I have read this on this website which sort of says you can't prevent a certain attack before PHP 5.3.6

Actually this ATTR_EMULATE thing mentioned above prevents this marginal vulnerability perfectly.

For when I insert, update, and select/other user made data when who knows what it looks like.

Use placeholders where you can. Where you can't - better ask here first.

There are other vulnerabilities to think of - like XSS, CSRF, file injection and many more.

Community
  • 1
  • 1
Your Common Sense
  • 156,878
  • 40
  • 214
  • 345
  • about backing up databases, i mean even just 10 minutes of loss game data would annoy people (especially if it was minecraft). about 2nd url, that was great and i at least feel like im mostly safe now (helpful). about the syntax error, i did mention (not that noticeable i guess) i took those from functions i made myself, which looked like this `UPDATE $U SET $Str WHERE id = :a`. the while loop was to get the entire users data actually, in a single array to do this `echo $User['username']`. and i guess thats it (also i posted this kind of soon because i didnt know the Enter Key submits this). – Hybrilynx Apr 18 '13 at 21:33