3

I understand that using PDO makes SQL injections virtually impossible. However, I don't have time at the moment to change all the database related code in our website. (Especially since I'm new at PDO, there's some learning curve involved). So I want to know what mysql/php functions will give the same security that PDO does.

Will these two points be enough?

  1. Making sure all $_GET and $_POST data are of the type expected (such as product ids should only be numerical, so I could use is_numeric).
  2. Using mysql_real_escape_string.

Or is there anything else I should do? The way the website is, is that based on id=x in the query string, things might go to the database. And what I saw after the hack was that in the database, all things that can go to the database through query strings had been compromised with values like cd etc/pwd.

user961627
  • 12,379
  • 42
  • 136
  • 210
  • PDO isn't really that difficult. Perhaps this will help: http://net.tutsplus.com/tutorials/php/pdo-vs-mysqli-which-should-you-use/ If you really don't have the time, you should look at the mysqli-related answer on this StackOverflow post: http://stackoverflow.com/questions/60174/how-to-prevent-sql-injection-in-php?rq=1 – Gor May 19 '13 at 11:34
  • 4
    Prepared statements. Not only PDO has prepared statement. – sectus May 19 '13 at 11:34
  • BTW, this specific answer is what I was referring to: http://stackoverflow.com/a/60496/1298317 (as @sectus mentioned, prepared statements... yes) – Gor May 19 '13 at 11:39
  • 1
    http://kunststube.net/escapism – deceze May 19 '13 at 12:17

1 Answers1

3

The short version: move from the mysql extension to the mysqli extension, and replace your queries that take parameters to prepared statements (here is a quickstart guide).

But in the long run, learning right now PDO won't take that long and it is worth the effort.

As a side note:

I understand that using PDO makes SQL injections virtually impossible.

That is not true, it is possible to write an injectable query in PDO. This code in PDO is as bad as it is in the old mysql extension (two vulnerabilities vector for the price of one here !):

$pdo_obj->query("SELECT password FROM users WHERE id = '".$_GET['id']."'");

PDO only provide the tools to protect yourself and make them easy to use. You always, always have to take care of validating and filtering the input yourself. But with prepared statement, you can at least let the database know what is supposed to be a parameter, and what is supposed to be a part of the query.

Lepidosteus
  • 11,779
  • 4
  • 39
  • 51
  • Ok I'm switching to using PDOs. However, one of the ways that really helps me debug my applications is echoing out my queries during development, simply like `echo "The sql: ". $sql; `. By using PDO can I no longer have that convenience? How can we echo out the prepared statement? – user961627 May 19 '13 at 14:11