0

Okay so I have been web developing for a little while now and I have some questions regarding PDO and SQL injection. As we all know SQL injection is a horrible vulnerability that we all want to avoid to our basic capability. I understand that SQL injection is most commonly done by using ' in a data which breaks the query, such as the infamous: 

' or '1'='1

I sometimes get lazy and usually my PDO SQL queries end up like this:

SELECT * FROM users WHERE id = ?

(I'd then bind ? to the $_GET['id'] or something) Now notice I don't use ` or ' anywhere in the query, is SQL injection still possibly after prepared statements? What exactly does prepared statements stop? Thank you!

Michael Berkowski
  • 267,341
  • 46
  • 444
  • 390
bloodless2010
  • 349
  • 1
  • 4
  • 15
  • to answer your final question: prepared statements stops injection techniques by encapsulating and escaping the string before the query is actually executed. – skrilled Mar 06 '14 at 20:02
  • 1
    Don't think of parameter binding as string substitution, wherein you're just placing a string wherever `?` lies. The RDBMS receives the _value_ you place in `?` and uses it as a value. It does not dynamically construct a SQL statement from it, so it is _not_ vulnerable if used correctly. – Michael Berkowski Mar 06 '14 at 20:02
  • 1
    Using bound parameters `?` _eliminates the need_ for manually quoting your parameters, and indeed if you did quote `'?'`, the literal string `?` would be passed to MySQL with no substitution at all (actually, you'd get an error trying to bind to a nonexistent param `?` before the statement was even executed.) – Michael Berkowski Mar 06 '14 at 20:05
  • As long as you're using bound parameters they are escaped properly, there are certain cases where there are other vulnerabilities(Learn about them [HERE](http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php)). To address them, add `$conn->setAttribute(PDO::ATTR_EMULATE_PREPARES, false);` – Jack Mar 06 '14 at 22:35

0 Answers0