-1

I came across this answer, that suggests, other than checking if the string is empty, we are probably better off not validating at all. Considering the scope of possible characters when dealing with international names, this seems reasonable.

Should we be foregoing validation altogether?

Are prepared statements sufficient when it comes to sanitizing international names?

$pdo = $connection->prepare("INSERT INTO clicks (domain, sid) VALUES (:domain, :sid)");
$pdo->execute(array(
  ":domain" => $domain,
  ":sid" => $sid
));

Another approach would be to disallow certain characters, instead of trying to match included characters. This would get tricky too, however.

oldboy
  • 5,729
  • 6
  • 38
  • 86
  • an explanation of the down vote would be useful... – oldboy Jul 29 '19 at 21:50
  • If you're binding input values to prepared statements properly (it looks like you are) then which characters are allowed in the values isn't really relevant to SQL injection concerns because it will not be possible for the value to become part of the query. https://stackoverflow.com/questions/8263371/how-can-prepared-statements-protect-from-sql-injection-attacks – Don't Panic Jul 29 '19 at 23:04
  • @Don'tPanic ok perfect. – oldboy Jul 30 '19 at 00:29

1 Answers1

1

Should we be foregoing validation altogether?

Probably. I agree with the linked user's answer. Trying to make guesses about names will only cause you pain.

Are prepared statements sufficient when it comes to sanitizing international names?

If done correctly, yes. Note that it's not sufficient to just use prepared statements, you need to use bound parameters as well.

I assume that's what you mean, but I feel I need to be pedantic here because I often see this sort of "prepared statement":

$db->prepare("select * from users where id = $id");
Alex Howansky
  • 50,515
  • 8
  • 78
  • 98
  • what im using is `$pdo = $connection->prepare("INSERT INTO table (column) VALUES (:column)` and then either binding them individually (e.g. `$pdo->bindParam(":column", $column)`) or executing them as an associative array (e.g. `$pdo->execute(array(":column" => $column))` are these prepared statements sufficient to sanitize international names? – oldboy Jul 29 '19 at 21:55
  • @csabinho are the prepared statements in my comment above sufficient to sanitize international names? – oldboy Jul 29 '19 at 21:55
  • @csabinho Right, that's exactly my point. I see this too often, people think that just using `prepare()` makes them safe. I just wanted to point out that you also need to bind. – Alex Howansky Jul 29 '19 at 21:57
  • 1
    @BugWhisperer Impossible to tell without seeing all the code, but yes, you've got the basic idea of it correct. – Alex Howansky Jul 29 '19 at 21:58
  • ive added the code. what other code would u need to see to know if the prepared statement is sufficient sanitization for international names? – oldboy Jul 29 '19 at 22:10
  • The code you've posted looks clean, and should be immune to injection. – Alex Howansky Jul 29 '19 at 22:15
  • quick question is there eventually a privilege that can be unlocked that lets you see who downvoted your stuff? – oldboy Jul 29 '19 at 22:18
  • Not to my knowledge. – Alex Howansky Jul 29 '19 at 22:20