ibazz — 2011-07-09T21:51:36-04:00 — #1
Been trying to enure my queries are good. Something crossed my mind.
To prevent someone injecting extra stuff to my query, perhaps through a form, should I add 'WHERE 1', to all queries where WHERE isn't really 'needed', so that a WHERE something = something_else, can't be added by a malicious input? I can add it but, will it prevent even one type of malicious hack?
samanime — 2011-07-10T02:12:52-04:00 — #2
It could help. I think Wordpress adds WHERE 1 = 1 to their queries for this reason.
However, they can easily add a # to the end of their injection, which can cut off everything else in the query.
spiderling — 2011-07-12T17:08:13-04:00 — #3
Would using PDO not eliminate any risk of having any SQL injection issues?
samanime — 2011-07-12T17:12:19-04:00 — #4
There's always a risk. It'll greatly greatly reduce it, but there is always a risk. =p
oddz — 2011-07-12T20:28:32-04:00 — #5
PDO does nothing itself, using prepared statements properly separating user input does. PDO just provides a simple interface to do so but you can still F**k it up of you don't know what your doing.