Lester,
Even with PDO and older versions of MySQL, you could inject into
prepared statements quite easily (assuming charset settings):
$var = '1' . chr(0xbf) . chr(0x27) . ' OR 1=1';
$pdo = new PDO('mysql:...');
$pdo->query('SET NAMES GBK');
$stmt = $pdo->prepare('SELECT * FROM foo WHERE 2 = ?');
$stmt->bindParam(1, $var);
$stmt->execute();
Without setting $pdo->setAttribute(PDO::ATTR_EMULATE_PREPARES, 0)
first, that will successfully inject into the query thanks to how PDO
emulates prepares.
A problem that true prepared statements (MySQLi and if PDO has emulate
prepares off) is immune to...
Anthony
On Wed, Apr 11, 2012 at 12:06 PM, Lester Caine <les...@lsces.co.uk> wrote:
> Ralph Schindler wrote:
>>
>> Hey Lester,
>>
>>
>>> That is almost archaic it's self ...
>>> It should be replaced with a pointer to using parameters ( no we do not
>>> need 'prepared statements', just parameters ). One of the first things I
>>> implement on any code that I'm porting. Does away with any agro over
>>> escaping strings and is totally save 'injection' wise.
>>
>>
>> While I generally agree, 'just parameters' does have it's limitations.
>> Sometimes
>> there are special character sequences that can be exploited to escape out
>> of a
>> quoted value in a SQL string.
>>
>> Offhand, this comes to mind about MySQL:
>> http://bugs.mysql.com/bug.php?id=8378
>
>
> Well if you must use a simple database ;)
>
> I've never used MySQL simply because it has yet to get to the same standard
> as Firebird ... But I'm talking about passing parameters direct to '?'
> entries in the SQL - something which if it CAN be broken then the database
> is also broken? The database handles the 'data' going into a single field at
> a time.
>
>
> --
> Lester Caine - G8HFL
> -----------------------------
> Contact - http://lsces.co.uk/wiki/?page=contact
> L.S.Caine Electronic Services - http://lsces.co.uk
> EnquirySolve - http://enquirysolve.com/
> Model Engineers Digital Workshop - http://medw.co.uk//
> Firebird - http://www.firebirdsql.org/index.php
>
> --
> PHP Internals - PHP Runtime Development Mailing List
> To unsubscribe, visit: http://www.php.net/unsub.php
>
--
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: http://www.php.net/unsub.php
