Simple question and i want simple answer. I'm using PDO prepared statements to make sure my data are safely processed to the database. But im confused. Do i have to disable magic quotes or use stripslashes on variables if magic_quotes are enabled. And after then letting the PDO do the security job ?
Asked
Active
Viewed 1,306 times
3
-
Yes, this is trivially true because one should *always* disable magic quotes. :-) – Bill Karwin Jan 24 '13 at 18:43
2 Answers
5
If you are using PDO's prepared statements to insert data into your database, the data will go into the database exactly as you insert it. magic_quotes adds slashes to the data: these will therefore be present in the database. This is obviously not what you want.
As you say, disable magic quotes or, if necessary, use stripslashes.
lonesomeday
- 233,373
- 50
- 316
- 318
-
So i have to use stripslashes and then let the pdo prepared statements do the security job ? – aygeta Nov 19 '11 at 13:10
-
PDO prepared statements (if used correctly) will prevent SQL injection, yes. There's more to "security" than just preventing SQL injection, however... – lonesomeday Nov 19 '11 at 13:11
-
Thanks. I would like to know that more thingy i have to learn. Can you recommend a good book about php security. I know those null bytes sql injection XSS session hijacking etc Are you saying there is much more. So far my code is clean I use object oriented programming. Everything is in classess and objects. But im still scared. Security is important – aygeta Nov 19 '11 at 13:14
-
I'm just saying that all PDO prepared statements will do is protect against SQL injection. – lonesomeday Nov 19 '11 at 14:16
1
Stage1 - View:
You type somebody's name to <input type="text" name="name"></input>
Stage2 - Model:
Now you post to Model, use $_POST['name'] to fetch somebody's name and write a sql statement:
$sql = "INSERT INTO tableName 'name' VALUES(:name)"; // Then prepare and bindParam
Before you can access database using PDO, your sql statement will be escaped if your gpc is on. That is, somebody's name will be somebody\'s name now. Then you use PDO to access database. But now in the database somebody\'s name is saved, because PDO will not know that the backslash before single quote was added by gpc, instead PDO thinks that you added that backslash before single quote intentionally.
Conclusion: If you use PDO, just turn gpc off.
macio.Jun
- 9,647
- 1
- 45
- 41