Menu
True PHP Security experts, is PDO the way to go or would I be ok with Codeigniter's Active Record class?
I have read http://codeigniter.com/forums/viewthread/179618/ and am not 100% convinced.
I usually lean on experts such as Chris Shiflett and OWASP for security tips. http://shiflett.org/blog/2006/jul/the-owasp-php-top-5
Been using a homebrewed PDO DB Class in place of the Codeigniter Database files. Everytime I upload it is a relatively small pain to copy over. The main reason I use PDO is to protect from SQL Injection vs using Active Record.
EDIT: NOT TO BE A SHILL but I wrote a post after the fact on how to integrate PDO in Codeigniter. If anyone has feedback, I would be happy to hear.
445
CodeIgniter's Active Record methods automatically escape queries for you, to prevent sql injection. $this->db->insert('tablename', array('var1'=>$val1, 'var2'=>$val2)); If you don't want to use Active Records, you can use query bindings to prevent against injection.
Now to avoid this type of SQL injection, we need to sanitize the password input and username input using mysqli_real_escape_string() function. The mysqli_real_escape_string() function takes the special characters as they were as an input from the user and doesn't consider them as query usage.
SQL Injection is a code-based vulnerability that allows an attacker to read and access sensitive data from the database. Attackers can bypass security measures of applications and use SQL queries to modify, add, update, or delete records in a database.
SQL injection occurs when specially crafted user input is processed by the receiving program in a way that allows the input to exit a data context and enter a command context. This allows the attacker to alter the structure of the SQL statement which is executed.
Well, there is a general answer for all the questions of this kind:
(dunno where did i get that saying, but it seems I'm only one using it, but most likely I misspelled it)
There is nothing good or bad in the technology itself.
Everything depends on the hands that using it.
Every time i see lame talks of SQL injection, it's always about dynamic data only.
While most danger comes from other query parts - say, dynamical identifiers. Where PDO can do a little less than nothing to deal with them.
So, there cannot be certain answer.
You can use whatever technology you like, as long as you understand what are you doing.
And contrary, if you don't understand how it works but just believe that some technology doing your job of protecting your app, you're already in trouble.
That's it.
138
According the the page you referenced, the Active Record class uses mysql_ functions for string-escaping. That means it's still building SQL strings up in PHP-land instead of using parametrized APIs into the database. While it may be free of known defects right now, it is still a better idea to use an API that follows a more secure design.
34
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
