I am modifying my code from using mysql_*
to PDO
. In my code I had mysql_real_escape_string()
. What is the equivalent of this in PDO?
The real_escape_string() / mysqli_real_escape_string() function escapes special characters in a string for use in an SQL query, taking into account the current character set of the connection.
mysql_real_escape_string is usually enough to avoid SQL injection. This does depend on it being bug free though, i.e. there's some small unknown chance it is vulnerable (but this hasn't manifested in the real world yet).
This extension was deprecated in PHP 5.5. 0, and it was removed in PHP 7.0.
Description ¶ PDO::quote() places quotes around the input string (if required) and escapes special characters within the input string, using a quoting style appropriate to the underlying driver.
Well No, there is none!
Technically there is PDO::quote()
but it is rarely ever used and is not the equivalent of mysql_real_escape_string()
That's right! If you are already using PDO the proper way as documented using prepared statements, then it will protect you from MySQL injection.
Example:
Below is an example of a safe database query using prepared statements (pdo)
try { // first connect to database with the PDO object. $db = new \PDO("mysql:host=localhost;dbname=xxx;charset=utf8", "xxx", "xxx", [ PDO::ATTR_EMULATE_PREPARES => false, PDO::ATTR_ERRMODE => PDO::ERRMODE_EXCEPTION ]); } catch(\PDOException $e){ // if connection fails, show PDO error. echo "Error connecting to mysql: " . $e->getMessage(); }
And, now assuming the connection is established, you can execute your query like this.
if($_POST && isset($_POST['color'])){ // preparing a statement $stmt = $db->prepare("SELECT id, name, color FROM Cars WHERE color = ?"); // execute/run the statement. $stmt->execute(array($_POST['color'])); // fetch the result. $cars = $stmt->fetchAll(\PDO::FETCH_ASSOC); var_dump($cars); }
Now, as you can probably tell, I haven't used anything to escape/sanitize the value of $_POST["color"]
. And this code is secure from myql-injection thanks to PDO and the power of prepared statements.
It is worth noting that you should pass a charset=utf8
as attribute, in your DSN
as seen above, for security reasons, and always enable PDO to show errors in the form of exceptions.
PDO::ATTR_ERRMODE => PDO::ERRMODE_EXCEPTION
so errors from you database queries won't reveal sensitive data like your directory structure, database username etc.
Last but not least, there are moments when you should not trust PDO 100%, and will be bound to take some extra measures to prevent sql injection, one of those cases is, if you are using an outdated versions of mysql [ mysql =< 5.3.6 ]
as described in this answer
But, using prepared statements as shown above will always be safer, than using any of the functions that start with mysql_
Good reads
There is none*! The object of PDO is that you don’t have to escape anything; you just send it as data. For example:
$query = $link->prepare('SELECT * FROM users WHERE username = :name LIMIT 1;'); $query->execute([':name' => $username]); # No need to escape it!
As opposed to:
$safe_username = mysql_real_escape_string($username); mysql_query("SELECT * FROM users WHERE username = '$safe_username' LIMIT 1;");
* Well, there is one, as Michael Berkowski said! But there are better ways.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With