I think php pdo query with prenthesis around them is safe from sql injection.
"select * from users where id=(:id)"
Do you agree or disagree with this statement?
I think php pdo query with prenthesis around them is safe from sql injection.
"select * from users where id=(:id)"
Do you agree or disagree with this statement?
Hi ,
The simple answer to this question is NO. The Parameterized or prepared statements are usually good enough to prevent SQL injection but not fully. If you do not set the character encoding type, then it is possible to break the query.
Example Vulnerable code :
Now, it's worth noting that you can prevent this by disabling emulated prepared statementsCode:$pdo->query('SET NAMES gbk'); $var = "\xbf\x27 OR 1=1 /*"; $query = 'SELECT * FROM test WHERE name = ? LIMIT 1'; $stmt = $pdo->prepare($query); $stmt->execute(array($var));
I hope this is helpful for you.Code:$pdo->setAttribute(PDO::ATTR_EMULATE_PREPARES, false);
Garage4Hackers bugs for the community , of the community
We provide IT
To view links or images in signatures your post count must be 10 or greater. You currently have 0 posts.
:
To view links or images in signatures your post count must be 10 or greater. You currently have 0 posts.
|
To view links or images in signatures your post count must be 10 or greater. You currently have 0 posts.
To view links or images in signatures your post count must be 10 or greater. You currently have 0 posts.
|
To view links or images in signatures your post count must be 10 or greater. You currently have 0 posts.
|
To view links or images in signatures your post count must be 10 or greater. You currently have 0 posts.
Posting Permissions
Reply With Quote![[s]'s Avatar](image.php?s=7b1e12c40e2b37a1b5ca3215e414d550&u=238&dateline=1333021046 "[s]'s Avatar")
