|
|
php.net | support | documentation | report a bug | advanced search | search howto | statistics | random bug | login |
PatchesPull RequestsHistoryAllCommentsChangesGit/SVN commits
[2009-11-19 10:56 UTC] svn@php.net
[2009-11-19 10:56 UTC] vrana@php.net
|
|||||||||||||||||||||||||||
Copyright © 2001-2026 The PHP GroupAll rights reserved. |
Last updated: Thu Jun 18 15:00:01 2026 UTC |
Description: ------------ Hi, Can you add more information about the SQL injection prevention properties of the PDO::Prepare functions. See my notes below. Regards Rowan Reproduce code: --------------- --- From manual page: pdo.prepare --- Note on the SQL injection properties of prepared statements. Prepared statements only project you from SQL injection IF you use the bindParam or bindValue option. For example if you have a table called users with two fields, username and email and someone updates their username you might run UPDATE `users` SET `user`='$var' where $var would be the user submitted text. Now if you did <?php $a=new PDO("mysql:host=localhost;dbname=database;","root",""); $b=$a->prepare("UPDATE `users` SET user='$var'"); $b->execute(); ?> and the user had entered User', email='test for a test the injection would occur and the email would be updated to test as well as the user being updated to User. Using bindParam as follows <?php $var="User', email='test"; $a=new PDO("mysql:host=localhost;dbname=database;","root",""); $b=$a->prepare("UPDATE `users` SET user=:var"); $b->bindParam(":var",$var); $b->execute(); ?> The sql would be escaped and update the username to User', email='test'