pdo security

[purencool]

hi php freaks

 

I am using pdo as the driver for my new app the issue is I can't seem to find a clear answer. I want to sanise the vars that

are coming  into the database but pdo is suppose to fix all the issues. Is this true what other things do I need to watch for when using pdo they must have some flaws.

 

Thanks

[trq]

but pdo is suppose to fix all the issues.

 

Where exactly did you here that? It is ALWAYS up to the programmer to sanitize data. Prepared statements help, but there not the be all and end all and there not exclusive to PDO either.

[purencool]

thanks for your reply. You have just reinforced what I thought was true. The only clear information I can find is from owasp and this is what they say.

 

# Do not use simple escaping functions, such as PHP's addslashes() or character replacement functions like str_replace("'", ""). These are weak and have been successfully exploited by attackers. For PHP, use mysql_real_escape_string() if using MySQL, or preferably use PDO which does not require escaping

 

They also say this, What ever this means

PHP - use PDO with strongly typed parameterized queries (using bindParam()).

[fortnox007]

hi php freaks

 

I am using pdo as the driver for my new app the issue is I can't seem to find a clear answer. I want to sanise the vars that

are coming  into the database but pdo is suppose to fix all the issues. Is this true what other things do I need to watch for when using pdo they must have some flaws.

 

Thanks

 

Just to make sure, even if you use pdo or mysqli_real_escape_string.  Keep in mind that garbage in means garbage out. So make sure you also sanitize on output. And i am not sure if i am correct but mysqli_real_escape_string only makes 1 call to the database, where pdo, make 2 calls. Which is a bit much for a simple non returning select query.

 

This is what the friends of google give: http://stackoverflow.com/questions/3101307/mysqli-prepared-statements-and-mysqli-real-escape-string