0

I have a site that makes use of various database operations, such as SELECT, INSERT, UPDATE, and DELETE. I am in the process of switching all my mysqli to PHP PDO. I am told switching to PDO should help keep my site secure against SQL Injections, so that should be covered.

Besides SQL Injections, if you would have to choose 2 other security vulnerabilities to protect against, what would those be?

If you could please provide me with some code samples for each scenario, that would be much appreciated.

zeckdude
  • 15,877
  • 43
  • 139
  • 187
  • 2
    PDO is not a magic silver bullet. You need to utilize its *prepared statements*. Else it's pointless. (And not everything can be a bound parameter!) -- The inquiry for other vulnerabilities is too broad. – mario Jul 16 '13 at 00:57
  • pdo offers zero security benefit compared to mysqli. – goat Jul 16 '13 at 01:02
  • Thanks for the response Mario. So what do you recommend is the best approach for me to take? I will take your suggestion and make sure to use prepared statements, but what else do you recommend I do to keep it secure? – zeckdude Jul 16 '13 at 01:03
  • 1
    @zeckdude I would read this https://www.owasp.org/index.php/OWASP_Testing_Guide_v4_Table_of_Contents to see all the different types of attacks their are, why they occur and how to prevent them. – kittycat Jul 16 '13 at 01:24

2 Answers2

5

Merely switching to PDO does not magically make all your SQL code secure. You still need to use it correctly, passing dynamic values to prepared queries. And this still doesn't cover every case of dynamic SQL queries. Parameters can take the place of constant values in SQL expressions, but not dynamic table names, dynamic column names, dynamic SQL expressions. No single solution solves every case of SQL injection, even though each solution is itself useful in its own way.

You may like to read my presentation SQL Injection Myths and Fallacies, which will help to shed light on this.

For other security faults, there are quite a few broad types of vulnerabilities. Kudos to you for seeking to learn more to engineer safe websites. Everyone in the software developer community should be an advocate of good security practices.

Here are some good resources:

  • OWASP Top Ten Project represents a broad consensus about what the most critical web application security flaws are. Project members include a variety of security experts from around the world who have shared their expertise to produce this list. Also the OWASP.org site has many other resources for studying the nature and remedies for common web security threats.

  • CWE/SANS Top 25 Most Dangerous Software Errors is a list of the most widespread and critical errors that can lead to serious vulnerabilities in software. They are often easy to find, and easy to exploit. They are dangerous because they will frequently allow attackers to completely take over the software, steal data, or prevent the software from working at all.

  • 19 Deadly Sins of Software Security, by Michael Howard and David LeBlanc, and John Viega, 2005.

  • Essential PHP Security by Chris Shiflett, 2005.

Bill Karwin
  • 538,548
  • 86
  • 673
  • 828
-1

That is the point of using PDO with prepared statements, If you start using PDO today, then there won't be other ' SQL Injection ' problems you have to worry about, maybe XSS attacks, but that is another subject, and not related to MySQL/PDO topics.

You should be safe, using PDO No worries!

For more info, look at my other answer on PDO here

Community
  • 1
  • 1
  • 1
    It's entirely possible to write insecure code with PDO. – ceejayoz Jul 16 '13 at 01:01
  • 1
    Thanks for the response Simon! XSS attacks is the only other thing besides SQL Injections that I need to be concerned with? – zeckdude Jul 16 '13 at 01:01
  • @zeckdude Well, there are many ways a hacker can manipulate your site, such as header injection, session fixation... but as far as maintaining your database, goes PDO is pretty much the most secure way that exists today. Just remember to use prepared statement in PDO. –  Jul 16 '13 at 01:06