9

True PHP Security experts, is PDO the way to go or would I be ok with Codeigniter's Active Record class?

I have read http://codeigniter.com/forums/viewthread/179618/ and am not 100% convinced.
I usually lean on experts such as Chris Shiflett and OWASP for security tips. http://shiflett.org/blog/2006/jul/the-owasp-php-top-5

Been using a homebrewed PDO DB Class in place of the Codeigniter Database files. Everytime I upload it is a relatively small pain to copy over. The main reason I use PDO is to protect from SQL Injection vs using Active Record.

EDIT: NOT TO BE A SHILL but I wrote a post after the fact on how to integrate PDO in Codeigniter. If anyone has feedback, I would be happy to hear.

csi
  • 9,018
  • 8
  • 61
  • 81
  • Thanks for all the great answers. Every answer has a valid point. I am going to continue to use PDO for flexibility, security, parameter binding and because I have a solid knowledge of it. – csi Feb 14 '11 at 22:26
  • I read your blog post. But how can I use PDO in CI after these modifications? See [How can I use PDO in CodeIgniter 2?](http://stackoverflow.com/questions/5884761/how-can-i-use-pdo-in-codeigniter-2) – Jonas May 04 '11 at 14:14

4 Answers4

9

Well, there is a general answer for all the questions of this kind:

It's not a wand, it's a wizard.

(dunno where did i get that saying, but it seems I'm only one using it, but most likely I misspelled it)

There is nothing good or bad in the technology itself.
Everything depends on the hands that using it.

  1. There is nothing insecure in mysql, if used properly.
  2. PDO is not a magical aegis that covers your backss from all dangers by it's presence only.

Every time i see lame talks of SQL injection, it's always about dynamic data only.
While most danger comes from other query parts - say, dynamical identifiers. Where PDO can do a little less than nothing to deal with them.

So, there cannot be certain answer.
You can use whatever technology you like, as long as you understand what are you doing.
And contrary, if you don't understand how it works but just believe that some technology doing your job of protecting your app, you're already in trouble.

That's it.

Your Common Sense
  • 156,878
  • 40
  • 214
  • 345
  • That is a pretty good point - most database APIs don't account for escaping literal names (tables, columns, etc). I recall that being a problem with WordPress several years ago when I was interested in porting it to Postgres - the escaping is different for each database. – Tom Feb 17 '11 at 03:01
6

According the the page you referenced, the Active Record class uses mysql_ functions for string-escaping. That means it's still building SQL strings up in PHP-land instead of using parametrized APIs into the database. While it may be free of known defects right now, it is still a better idea to use an API that follows a more secure design.

Tom
  • 10,689
  • 4
  • 41
  • 50
2

If you are already at a comfy point with your PDO library, there is no reason to stop using it in CI. Active Record is great if you want to follow the CI patterns, but it is hardly a requirement in any sense.

Fred Wilson
  • 2,177
  • 3
  • 17
  • 21
1

Take a look at http://codeigniter.com/user_guide/database/queries.html

The last section, Query Bindings, tells you that you can use query bindings, that are automatically escaped.

Although it's not really prepared statements, it's an effective simulation of same.

Repox
  • 15,015
  • 8
  • 54
  • 79