Menu
Possible Duplicate:
How prepared statements can protect from SQL injection attacks?
For those of us that are new to PDO, we get that it is more secure and that it is better to use, but what I can't wrap my brain around is, how is this secured?
<?php
$db = new PDO('mysql:host=localhost;dbname=testdb;charset=UTF-8', 'username', 'password');
$db->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
$db->setAttribute(PDO::ATTR_EMULATE_PREPARES, false);
try {
//connect as appropriate as above
$db->query('hi'); //invalid query!
} catch(PDOException $ex) {
echo "An Error occured!"; //user friendly message
some_logging_function($ex->getMessage());
}
foreach($db->query('SELECT * FROM table') as $row) {
echo $row['field1'].' '.$row['field2']; //etc...
}
?>
Mind you, I do understand what it does, but what exactly does it do to sanitize input? I know mysql_* use mysql_real_escape_string which just put the literal \. Does PDO use this same system? If not, what are we relying on as far as sanitation?
983
While there doesn't seem to be anything to sanitize as input in your query. Furthermore, if you just put in your query it will not do anything to it.
But it does have the magic called prepared statements, which does help you. You can check @yourcommonsense 's link for more information on that:
How can prepared statements protect from SQL injection attacks?
56
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
