PDO secure ways to safe code from sql injections but using kali can still cause to inject

Question

I have google and searched for sanitization the user posted data and found lot of examples and functions but i haven't find yet any solution which help me to resolve my confusion.

My question is that what is basically done in the following php mysqli built-in function:

  // Sanitize. example:
  $x = mysqli_real_escape_string($con, $posted_val));

is there any built-in function in PDO or in core php to sanitize the user posted data with?

I have tried to use my own function to sanitize the input by replacing the possible exploitable code and then return the result but I hope there may be some built-in function exits in PDO too? or I may be wrong...

Does this answer your question? [function to sanitize input to Mysql database](https://stackoverflow.com/questions/9144414/function-to-sanitize-input-to-mysql-database) — Kaleb W, Apr 10 '20 at 18:42
Does this answer your question? [PHP PDO prepared statements](https://stackoverflow.com/questions/1457131/php-pdo-prepared-statements) — El_Vanja, Apr 10 '20 at 18:43
You could also use `mysqli` [prepared statements](https://www.php.net/manual/en/mysqli.quickstart.prepared-statements.php) if you want to stick to that extension. — El_Vanja, Apr 10 '20 at 18:55
You don't need to sanitize when you use prepared statements. — Barmar, Apr 10 '20 at 18:59
@Barmar, ok i got it. you are right i was forgetting about the prepared statements... — Abdul Rahman, Apr 10 '20 at 19:01
Can you share more details? In the title, you have mentioned "kali" which "injects" something - what does that mean? — Nico Haase, Apr 10 '20 at 19:25
@NicoHaase kali linux has some very nice tools through which a one can test web applications for sql injetcions like Sqlmap and others... — Abdul Rahman, Apr 10 '20 at 20:50

score -1 · Answer 1 · answered Apr 10 '20 at 20:27

Basically with using PDO you need just parameterize your data to prevent SQL injections. Without parameterizing your database will be still available for injections. The sanitization you can implement by yourself before passing values into SQL statement

Simple example of parameterized PDO statement:

<?php
// Connecting to database with values defined in 'database.php'
include_once 'database.php';

$db = new PDO($DB_DSN, $DB_USER, $DB_PASSWORD);
$db->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);

// Function that takes SQL statement and parameters for it
function query($sql, $params = []) {

    $stmt = $db->prepare($sql);

    // Simple preparing and binding parameters to PDO::prepare()
    if (!empty($params)) {
        foreach ($params as $key => $val) {
            if (is_int($val)) {
                $type = PDO::PARAM_INT;
            } elseif (is_bool($val)) {
                $type = PDO::PARAM_BOOL;
            } else {
                $type = PDO::PARAM_STR;
            }
            $stmt->bindValue(':'.$key, $val, $type);
        }
    }

    // Executing SQL
    $stmt->execute();
    return $stmt;
}

// I declare here simple variables that I'm usually getting from AJAX POST method
$id = "1";
$email = "email@example.com";

// SQL statement
$sql = 'SELECT * FROM `users` WHERE id = :id AND email = :email LIMIT 1';
// Parameters that will pass
$params = ['id' => $id, 'email' => $email];

// Executing SQL and saving return in variable
$result = query($sql, $params);

// Returning result
return $result;

So with such practice hacker won't be allowed to see any other data except that are passed into variables and couldn't make injection in it

PDO secure ways to safe code from sql injections but using kali can still cause to inject

1 Answers1