Is it just as likely that I might suffer a sql injection on a query to the database (SELECT) as using UPDATE, INSERT etc?
I'm updating to PDO, so should I use 'prepare/exec' when querying the DB, or only when updating?
Asked
Active
Viewed 93 times
0
-
You have to do that whenever you are executing a query.Never mind its insert,update,select or delete – 웃웃웃웃웃 Oct 24 '13 at 10:51
-
@User016 it have to be answer, not comment – Your Common Sense Oct 24 '13 at 10:52
-
You should prepare on any query that relies on dynamic/user input. A simple `SELECT * FROM table` won't need preparing. – Ben Fortune Oct 24 '13 at 10:54
-
1so using $sql = $conn->query is generally only when there are no variable parameters? – gavin stanley Oct 24 '13 at 10:54
-
@Ben Fortune can you make that an answer please, as it is different to User016's answer. I would like confirmation on that. Ta – gavin stanley Oct 24 '13 at 10:56
-
The way you ask the question suggests that you do not have much understanding about what "PDO prepare" actually is for. In short it is for parametrized queries. So whenever you have variable expressions with the static SQL. See: http://blog.ircmaxell.com/2012/12/programming-with-anthony-prepared.html – hakre Oct 24 '13 at 10:56
-
@BenFortune I'd downvote this answer as soon as it appears – Your Common Sense Oct 24 '13 at 10:57
-
@YourCommonSense it won't. ;) – Ben Fortune Oct 24 '13 at 10:58
-
@YourCommonSense so would you prepare exec a simple QUERY?, when exactly would you use 'query' over 'prepare/exec'? – gavin stanley Oct 24 '13 at 11:00
-
My objection is not on query complexity but on "user input". – Your Common Sense Oct 24 '13 at 11:01
-
And it is my strong belief that you shoudn't plead for simple "yes" or "no", but rather **understand** what is all this mess for and how it works. To answer this question yourself. – Your Common Sense Oct 24 '13 at 11:03
2 Answers
2
if you are using variable in your query (user input), either it is select query or insert/update,
like in select query you are passing variable in where clause then to prevent sql injection you should use PDO for mysql.
e.g: this is your query;
select * from login where username = '$username' and password= '$password';
then if user try to put
$username ='admin \' OR 1=1';
then compiled query will become
select * from login where username = 'admin' OR 1=1 and password= '...';
(while this ways is also wrong. you should only check for username from login table and fetch password according to user then match it through you langugae code.) but as a example select query can also injected.
See as well:
- In PHP, how does PDO protect from SQL injections? How do prepared statements work?
- How prepared statements can protect from SQL injection attacks?
- How does PHP PDO's prepared statements prevent sql injection? What are other benefits of using PDO? Does using PDO reduce efficiency?
- Can I fully prevent SQL injection by PDO Prepared statement without bind_param?
- Are PDO prepared statements sufficient to prevent SQL injection?
Community
- 1
- 1
developerCK
- 4,418
- 3
- 16
- 35
-
Thanks, would you agree with @Ben Fortune that A simple SELECT * FROM table won't need preparing? – gavin stanley Oct 24 '13 at 10:58
-
1yes . that's why i wrote where you are passing input from user? then needed. – developerCK Oct 24 '13 at 10:59
-
Sidenote: Do not use `*`, see [*Why is SELECT * considered harmful?*](http://stackoverflow.com/q/3639861/367456) – hakre Oct 24 '13 at 11:06
2
You have to do that whenever you are executing a query.Never mind its insert,update,select or delete if you are passing an input (variables) with the query you have to take care of SQL injection.
You can find the best answers here
