Re: sql injection protection

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



>> This is an interesting conversation, so I'm glad it got brought up,but I find myself curious:  Are you actually trying to avoid PDO, or just trying to learn how the security actually works?

Well, It's a learning process. my point is this... If I can make it
safe and sound without the PDO, then I really got to the bottom of it.
Because once you reach there and I would be in a much better shape
cause at the end, I will still use PDO level.

PDO is not safe. I should say, it is not SAFE ENOUGH. You are still
vulnerable with PDO as well.
Cause PDO still requires you to validate your input. If you don't do a
good job at it, then you are using PDO as a drug. You have to go down
to bottom of it and that's validating the darn user input.

Well, if you validate your input well, then one can turn the question
around and ask, then why use PDO? It's not going to make it any safer!
It was already so.

The danger with the PDO articles...
Using/or Recommending PDO without the nitty/gritty details of how
important it is to validate your input is unfortunately leading people
( unexp. dev ) into thinking that it's a safer method, therefore they
can go relax at certain things and PDO will cover them.

I think one should try to make his data secure, first and foremost -
without *relying* PDO to take care of things.

Therefore, we should learn the crux of the matter. By that, I mean all
that multibyte and GPK Greek and some other weird char sets that one
should be aware of and what to do to really safe guard the databases
against all kinds of user data.

Only then and only then,  one should START thinking about using PDO.

http://stackoverflow.com/questions/134099/are-pdo-prepared-statements-sufficient-to-prevent-sql-injection

That's why I started this thread.





On Tue, Jan 17, 2012 at 4:39 AM, Andy McKenzie <amckenzie4@xxxxxxxxx> wrote:
> On Mon, Jan 16, 2012 at 10:34 PM, Haluk Karamete
> <halukkaramete@xxxxxxxxx> wrote:
>> I understand some ways are better than others in this one, and it
>> looks like the PDO based implementations shine the most as far as SQL
>> Injection.
>>
>> But would not the following be good enough - without implementing a
>> PDO solution?
>>
>> ....
>
>
> This is an interesting conversation, so I'm glad it got brought up,
> but I find myself curious:  Are you actually trying to avoid PDO, or
> just trying to learn how the security actually works?
>
> Personally, my decision was that I could spend a lot of time learning
> all the ins and outs, or I could just use PDO and some basic input
> validation, and be more-or-less secure.  I'm sure there are cases
> where that's not sensible, but it's always worked for me.
>
> -Andy

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php




[Index of Archives]     [PHP Home]     [Apache Users]     [PHP on Windows]     [Kernel Newbies]     [PHP Install]     [PHP Classes]     [Pear]     [Postgresql]     [Postgresql PHP]     [PHP on Windows]     [PHP Database Programming]     [PHP SOAP]

  Powered by Linux