Reputation: 1665
Does the Zebra_Database MySQL wrapper protect against SQL injection?
I am considering using a MySQL wrapper named Zebra_Database found here:
http://stefangabos.ro/php-libraries/zebra-database/
Can someone tell by the code if this protects against SQL injection or are there further steps I should take to protect myself?
Thanks!!
Upvotes: 1
Views: 403
Answers (2)
Reputation: 157914
It encourages the use of prepared statements - the same limited version used by mysqli - so, it offers no 100% protection.
It uses some sort of query builder - so, it makes your SQL too inflexible (and - therefore - insecure again).
Personally I wouldn't use it, but for starter it's better than "wrap each input with mysqli_real_escape_string" anyway.
Upvotes: 2
Reputation: 276496
It encourages the use of prepared statements, which are not susceptible to SQL injection.
From the front page of Zebra_Database:
It encourages developers to write maintainable code and provides a better default security layer by encouraging the use of prepared statements, where parameters are automatically escaped.
Which means you should use prepared statements, which are not susceptible to SQL injection to begin with. See this question about the usage of prepared statements.
Upvotes: 1
Related Questions
- Can mysql_real_escape_string ALONE prevent all kinds of sql injection ?
- Is this code protected against SQL injection?
- Does mysql_real_escape_string() FULLY protect against SQL injection?
- SQL injection vulnerable?
- Effective protection function against SQL injection
- MySQL Injection prevention
- PHP mysql injection protection
- PHP -- automatic SQL injection protection?
- does addslashes(stripslashes($field)) guarantee sql injection invulnerability?
- Am I safe from SQL-injections?