Results 1 to 2 of 2

Thread: Is it possible to hack PHP PDO ? Share/Save - My123World.Com!

  1. #1

    Is it possible to hack PHP PDO ?

    I think php pdo query with prenthesis around them is safe from sql injection.
    "select * from users where id=(:id)"
    Do you agree or disagree with this statement?

  2. #2
    Hi ,

    The simple answer to this question is NO. The Parameterized or prepared statements are usually good enough to prevent SQL injection but not fully. If you do not set the character encoding type, then it is possible to break the query.

    Example Vulnerable code :

    Code:
    $pdo->query('SET NAMES gbk');
    $var = "\xbf\x27 OR 1=1 /*";
    $query = 'SELECT * FROM test WHERE name = ? LIMIT 1';
    $stmt = $pdo->prepare($query);
    $stmt->execute(array($var));
    Now, it's worth noting that you can prevent this by disabling emulated prepared statements

    Code:
    $pdo->setAttribute(PDO::ATTR_EMULATE_PREPARES, false);
    I hope this is helpful for you.
    Garage4Hackers bugs for the community , of the community

    We provide IT
    To view links or images in signatures your post count must be 10 or greater. You currently have 0 posts.
    :
    To view links or images in signatures your post count must be 10 or greater. You currently have 0 posts.
    |
    To view links or images in signatures your post count must be 10 or greater. You currently have 0 posts.


    To view links or images in signatures your post count must be 10 or greater. You currently have 0 posts.
    |
    To view links or images in signatures your post count must be 10 or greater. You currently have 0 posts.
    |
    To view links or images in signatures your post count must be 10 or greater. You currently have 0 posts.

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •