6:[["$","$Le",null,{}],["$","div",null,{"className":"min-h-screen bg-gray-100 p-6","children":[["$","$Lf",null,{}],["$","script",null,{"type":"application/ld+json","dangerouslySetInnerHTML":{"__html":"{\"@context\":\"https://schema.org\",\"@type\":\"QAPage\",\"mainEntity\":{\"@type\":\"Question\",\"name\":\"sql statements and pdo\",\"text\":\"

There is a pdo wrapper class that has turns off emulation or prepared statements using:

\\n\\n

setAttribute(PDO::ATTR_EMULATE_PREPARES, false);\\n

\\n\\n

I am seeing where some of the sql statements are written using standard non parameterized methods such as seen below:

\\n\\n

select * from table where name = '\\\".$name.\\\"'. \\n

\\n\\n

Are these kind of statements protected against sql injections even though a pdo wrapper is employed?

\\n\",\"author\":{\"@type\":\"Person\",\"name\":\"user2397380\"},\"upvoteCount\":1,\"answerCount\":1,\"acceptedAnswer\":null}}"}}],["$","div",null,{"className":"bg-white shadow-md rounded-lg p-6 mb-6 relative","children":[["$","div",null,{"className":"absolute top-4 right-4 flex flex-wrap space-x-2","children":[["$","span","php",{"className":"bg-blue-600 text-white text-sm px-3 py-1 rounded-full","children":["$","$L10",null,{"href":"/discussion/tag/php/1","children":"php"}]}],["$","span","mysql",{"className":"bg-blue-600 text-white text-sm px-3 py-1 rounded-full","children":["$","$L10",null,{"href":"/discussion/tag/mysql/1","children":"mysql"}]}],["$","span","pdo",{"className":"bg-blue-600 text-white text-sm px-3 py-1 rounded-full","children":["$","$L10",null,{"href":"/discussion/tag/pdo/1","children":"pdo"}]}]]}],["$","div",null,{"className":"flex items-center mb-4","children":[["$","img",null,{"src":"https://www.gravatar.com/avatar/aa7a012b7403e759c9c216ae23018620?s=256&d=identicon&r=PG","alt":"user2397380","className":"w-16 h-16 rounded-full border"}],["$","div",null,{"className":"ml-4","children":[["$","a",null,{"href":"https://stackoverflow.com/users/2397380/user2397380","target":"_blank","rel":"noopener noreferrer","className":"text-lg font-semibold text-blue-600 hover:underline","children":"user2397380"}],["$","p",null,{"className":"text-sm text-gray-500","children":["Reputation: ",31]}]]}]]}],["$","h1",null,{"className":"text-2xl font-bold text-gray-800 mb-4","children":"sql statements and pdo"}],["$","p",null,{"className":"text-gray-700 mt-4","dangerouslySetInnerHTML":{"__html":"

There is a pdo wrapper class that has turns off emulation or prepared statements using:

\n\n

setAttribute(PDO::ATTR_EMULATE_PREPARES, false);\n

\n\n

I am seeing where some of the sql statements are written using standard non parameterized methods such as seen below:

\n\n

select * from table where name = '\".$name.\"'. \n

\n\n

Are these kind of statements protected against sql injections even though a pdo wrapper is employed?

\n"}}],["$","div",null,{"className":"text-gray-600 text-sm mt-4","children":[["$","p",null,{"children":["Upvotes: ",1]}],["$","p",null,{"children":["Views: ",63]}]]}]]}],["$","div",null,{"className":"container mx-auto","children":[["$","h2",null,{"className":"text-2xl font-semibold text-gray-800 mb-6","children":["Answers (",1,")"]}],[["$","div","16748420",{"className":"bg-white shadow-md rounded-lg p-6 mb-6","children":[["$","div",null,{"className":"flex items-center mb-4","children":[["$","img",null,{"src":"https://i.sstatic.net/uhHvv.jpg?s=256","alt":"Your Common Sense","className":"w-12 h-12 rounded-full border"}],["$","div",null,{"className":"ml-4","children":[["$","a",null,{"href":"https://stackoverflow.com/users/285587/your-common-sense","target":"_blank","rel":"noopener noreferrer","className":"text-lg font-semibold text-blue-600 hover:underline","children":"Your Common Sense"}],["$","p",null,{"className":"text-sm text-gray-500","children":["Reputation: ",157991]}]]}]]}],["$","p",null,{"className":"text-gray-700 mb-4","dangerouslySetInnerHTML":{"__html":"

Your idea of protecting from injections is quite wrong.

\n\n

It is not PDO just by it's presence (which can be interfered by some wrapper) protects your queries, but prepared statements.

\n\n

As long as you are using prepared statements, your queries are safe, no matter if it's PDO or wrapper, or even poor old mysql ext.

\n\n

But if you are putting your data in the query directly, like in your example, there is no protection at all

\n"}}],["$","div",null,{"className":"text-gray-600 text-sm","children":["$","p",null,{"children":["Upvotes: ",3]}]}]]}]]]}],["$","div",null,{"className":"bg-white shadow-md rounded-lg p-6 mt-6","children":[["$","h2",null,{"className":"text-2xl font-semibold text-gray-800 mb-4","children":"Related Questions"}],["$","ul",null,{"className":"list-disc list-inside","children":[["$","li","42080541",{"className":"mb-2","children":["$","$L10",null,{"href":"/discussion/solution/42080541","className":"text-blue-600 hover:underline","children":"having trouble with sql"}]}],["$","li","33934974",{"className":"mb-2","children":["$","$L10",null,{"href":"/discussion/solution/33934974","className":"text-blue-600 hover:underline","children":"PHP PDO confusion"}]}],["$","li","30872182",{"className":"mb-2","children":["$","$L10",null,{"href":"/discussion/solution/30872182","className":"text-blue-600 hover:underline","children":"Php and mysql pdo query"}]}],["$","li","25094497",{"className":"mb-2","children":["$","$L10",null,{"href":"/discussion/solution/25094497","className":"text-blue-600 hover:underline","children":"Sql query using pdo in mysql"}]}],["$","li","20457083",{"className":"mb-2","children":["$","$L10",null,{"href":"/discussion/solution/20457083","className":"text-blue-600 hover:underline","children":"PHP Using PDO and PDOStatement"}]}],["$","li","20404867",{"className":"mb-2","children":["$","$L10",null,{"href":"/discussion/solution/20404867","className":"text-blue-600 hover:underline","children":"PDO... Am I doing it right?"}]}],["$","li","9212794",{"className":"mb-2","children":["$","$L10",null,{"href":"/discussion/solution/9212794","className":"text-blue-600 hover:underline","children":"Converting MySQL to PDO"}]}],["$","li","9126410",{"className":"mb-2","children":["$","$L10",null,{"href":"/discussion/solution/9126410","className":"text-blue-600 hover:underline","children":"convert mysql to PDO statement"}]}],["$","li","7611890",{"className":"mb-2","children":["$","$L10",null,{"href":"/discussion/solution/7611890","className":"text-blue-600 hover:underline","children":"Building queries with PDO?"}]}],["$","li","5047990",{"className":"mb-2","children":["$","$L10",null,{"href":"/discussion/solution/5047990","className":"text-blue-600 hover:underline","children":"PHP PDO Help Required"}]}]]}]]}]]}],["$","$L11",null,{}],["$","$L12",null,{}],["$","$L13",null,{}],["$","$L14",null,{}],["$","$L15",null,{}]]

sql statements and pdo

Answers (1)

Related Questions