3

I'm looking to refactor some legacy PHP code, and I know that PDO is more secure with the addition of prepared statements and such, but I am wondering if there are any security benefits of using the PDO::query() method vs. the mysql_query() method. Are there?

GSto
  • 41,512
  • 37
  • 133
  • 184
  • 1
    You can write perfectly safe and correct queries manually. PDO just makes it easier for beginners to do so. But both can still totally trash your db regardless of insertion vulnerabilities. No library in the world will save you if you dynamically generate `delete from $table` and forget a `where` clause. – Marc B Aug 15 '11 at 19:50

3 Answers3

6

Short of a bug in PDO or mysql_*, the security issues with database queries are dependent on the query being ran, not what is used to connect to the database.

If you create an insecure query with userdata and execute it with PDO::query(), it is just as insecure as it is with mysql_query(). Likewise, if you have a secure query, running it with PDO::query() is effectively the same as with mysql_query().

Brad
  • 159,648
  • 54
  • 349
  • 530
1

No, but if you were to use PDO prepared statments instead of PDO:query(), you would then be fairly impervious to injection attacks as it will escape variables for you.

PDO also has other benefits over mysql functions...

prepared statements
transactions
ability to switch drivers
can get result rows as objects
etc
dqhendricks
  • 19,030
  • 11
  • 50
  • 83
0

You can concat string in PDO prepeared statement from user input, so it is not more secure in any way. Prepeared statments has also some drawbacks. For example you can not create simple query where U use variable amount of data, for example:

WHERE id IN (1,2,5,7,9,23)

If you know that you will use only MySQL, I suggest you to go with mysqli rather than PDO. There is no need for unnecessary abstraction layer.

codez
  • 1,381
  • 1
  • 18
  • 28