jaipai — 2012-08-30T16:17:34-04:00 — #1
I've read time and time again that PDO does filter through many SQL type injections.
I'm just wondering if I still should be using mysql_Real_esecape_string or any other like htmlentities.
I'm releasing a new site out that right now only uses PDO and I'm wondering whether it's secure for public usage.
logic_earth — 2012-08-30T16:24:46-04:00 — #2
Using prepared statements are not vulnerable to SQL injections, at all. Only if you embed user submitted data into the SQL query itself will you have a vulnerability.
cpradio — 2012-08-30T16:25:06-04:00 — #3
You will still need to perform htmlentities, but you do not need mysql_real_escape_string. htmlentities protects against XSS attacks (not SQL injections), thus why that is still needed. PDO does handle the mysql_real_escape_string, so long as you either 1) use prepared statements with bindValue or bindParam, or 2) use prepared statements and passing the parameters as an array to execute.
Concatenating a string and using query() is not protected.
jaipai — 2012-08-30T16:36:54-04:00 — #4
Okay thanks a bunch guys.
Also about htmlentities... They do put in front slashes in from of ' and ". How do I take those off when I want to retrieve that data?
Thanks a bunch.
cpradio — 2012-08-30T17:14:33-04:00 — #5
using html_entity_decode(), but keep in mind, doing that will reintroduce an XSS attack unless you use strip_tags to remove non-essential HTML markup.
felgall — 2012-08-30T17:37:00-04:00 — #6
htmlentities if for escaping data when you output it as HTML - so that it will display properly - it has nothing to do with inserting the data in the database.
You need to VALIDATE the data when someone first inputs it - there is no point in protecting against SQL injection if you still allow someone to fill your database with meaningless junk.