0

I'm using plain PHP code than an PHP/MVC framework.

I want to know, is plain PHP code more prone to SQL injection than using a PHP/MVC framework?

Gumbo
  • 643,351
  • 109
  • 780
  • 844
user3431892
  • 31
  • 6
  • possible duplicate of [How can I prevent SQL injection in PHP?](http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php) – Shankar Narayana Damodaran Mar 18 '14 at 06:51
  • Maybe this could help you and understand more : http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php – daR Mar 18 '14 at 06:53
  • 1
    Yes, it is because most frameworks provide certain API and abstractions that take care of the proper data handling for you so you don’t have to think about it. – Gumbo Mar 18 '14 at 07:08

2 Answers2

1

Plain PHP isn't more vulnerable to SQL Injection, when you know how to program it. PHP MVC Frameworks are just plain PHP aswell, written by other humans like you :).

Xatenev
  • 6,383
  • 3
  • 18
  • 42
  • 1
    “when you know how to program it” is the crux. Unfortunately, many people don’t know. – Gumbo Mar 18 '14 at 07:18
-2

You should use mysql_real_escape_string for escaping string input parameters in a query. Use type casting to sanitize numeric parameters and whitelisting to sanitize identifiers.

A better solution would be to use prepared statements, you can do this by using PDO or mysqli.

daR
  • 250
  • 2
  • 19
  • thanks for the answer maybe i should use mysql_real_escape_string to avoid such injections – user3431892 Mar 18 '14 at 07:07
  • On a second glance this answer is *technically* correct. However, as it can be seen from the OP's response, it was totally misunderstood - due to flawed nature of the answer. Prepared statement should be offered as the only option, because it offer *complete* formatting – Your Common Sense Mar 18 '14 at 07:23