PDO::quote is only *theoretically* safe ?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



The documentation for PDO::quote [0] says that a processed string is "theoretically safe to pass into an SQL statement". Understandably, prepared statements should be preferred when possible. But I need to change some stuff where integrating them is impossible, and some values must be securely embedded into a query string.

There's only one stated problem of PDO::quote that could result in a SQL injection: When the charset has not been set for the connection. But as warned by the documentation, this will be guaranteed.

Neither mysql_real_escape_string [1] nor pg_escape_literal [2] which escape values for embedding into SQL query strings have a note about being only *theoretically* safe. Only PDO::quote has such a warning.

* Is there any reason PDO::quote should be less safe than mysql_real_escape_string or pg_escape_literal for embedding values in SQL queries?
* Is it just written in a very security-centric way so anyone sticks to prepared statements?

Although e.g. Wordpress is not known for the cleanest code, mysql_real_escape_string has been used for years without any known problems.

[0] https://www.php.net/manual/en/pdo.quote.php
[1] https://www.php.net/manual/en/function.mysql-real-escape-string
[2] https://www.php.net/manual/en/function.pg-escape-literal.php

[Index of Archives]     [PHP Home]     [PHP Users]     [Postgresql Discussion]     [Kernel Newbies]     [Postgresql]     [Yosemite News]

  Powered by Linux