Anthony Ferrara wrote:
Even with PDO and older versions of MySQL, you could inject into
prepared statements quite easily (assuming charset settings):
$var = '1' . chr(0xbf) . chr(0x27) . ' OR 1=1';
$pdo = new PDO('mysql:...');
$pdo->query('SET NAMES GBK');
$stmt = $pdo->prepare('SELECT * FROM foo WHERE 2 = ?');
$stmt->bindParam(1, $var);
$stmt->execute();
Without setting $pdo->setAttribute(PDO::ATTR_EMULATE_PREPARES, 0)
first, that will successfully inject into the query thanks to how PDO
emulates prepares.
A problem that true prepared statements (MySQLi and if PDO has emulate
prepares off) is immune to...
Try doing that with a real database ;)
Firebird is not susceptible to this sort of problem. And I have still to find any use for PDO in real systems. It's just another layer that gets in the way of processing data securely. Emulating things half cocked is simply another security hole anyway.
--
Lester Caine - G8HFL
-----------------------------
Contact - http://lsces.co.uk/wiki/?page=contact
L.S.Caine Electronic Services - http://lsces.co.uk
EnquirySolve - http://enquirysolve.com/
Model Engineers Digital Workshop - http://medw.co.uk//
Firebird - http://www.firebirdsql.org/index.php