Reputation: 497
PHP : Is really secure that using PDO? Even without old way sanitization or escape?
I've been filtering every variables before using PDO. At that time, I usually escape strings and check its length. If the value is integer or any other numeric value, I try to figuring out the value is really desired type and value.
But after using PDO, only thing I do for security is, set the PDO::PARAM_* as binding option like following..
$stmt = $this->db->prepare("select * from $dbSessionTableName where acntid = ? and end > now()");
$stmt->bindValue(1, $_SESSION['account_id'], PDO::PARAM_INT);
$stmt->execute();
Is this really secure?
Upvotes: 1
Views: 59
Answers (1)
Reputation: 157839
There are two answers to your question.
Speaking of binding parameters, yes, it is fully secure against SQL injection and do not require any other validation. And even setting the PDO::PARAM_* as a binding option is not necessary. You can simply make your code as follows and it will be secure as well:
$stmt = $this->db->prepare("select * from table where acntid = ? and end > now()"); $stmt->execute([$_SESSION['account_id']]);note that all old-style "sanitization" practices related to sql injection are not only not necessary but rather harmful and should be avoided.
- However, speaking of the
$dbSessionTableNamevariable, it is still insecure as it could be with any other approach. And has to be validated.
Upvotes: 2
Related Questions
- is it safe to not escape my input in sql
- how safe are PDO prepared statements
- Safest way of use of PDO
- PHP-PDO: Is PDO safe only for Inputing to the Database not Outputting from DB?
- PDO and Escaping Input: Is this the safest way?
- PDO::Prepare safety
- PDO and security
- Should i sanitize/filter user input and output when using PHP PDO?
- Is this secure enough?
- Is this code sql-injection-safe in PDO?