How PDO prepared statements help to prevent SQL vulnerable statements? -
i'm confused or rather i'm like, soooooooooo confused pdo prepared statements. know prepared statements best way keep data safe hackers.
from : how can prepared statements protect sql injection attacks?
we sending program server first
$db->prepare("select * users id=?"); data substituted variable called "placeholder".
note same query being sent server, without data in it! , we're sending data second request, totally separated query itself:
$db->execute($data);
query-
$query=$db->prepare("select * users username=?"); $query->execute(array($tex)); $tex=blah; drop table users;--
then - select * users username=blah; drop table users;--
how prepare statements me example above?
i'm sorry if question vague understand. appreciated. in advance.
the prepared statement handler make sure bound value always used valid sql value/literal (ie. sql string or number) , never 'raw sql text'1.
this why placeholders values cannot used identifiers such column or table names or act other sql keywords; , cannot generate vulnerable query hypothesized. instead treated following:
where username='blah; drop table users;--' --^ placeholder ensures valid sql string value used -- (note automatic/implicit addition of sql quotes)
and when binding 'more tricky' data:
$tex = "blah'; drop table users;--"; // embedded sql quote character
it still safe:
where username='blah''; drop table users;--' --^ placeholder still ensures valid sql string value used
thus, when using placeholders, impossible generate sql vulnerable (in way).
for sql injection 'shape' of query (which includes keywords , identifiers, excludes values) must altered input.
1 technically placeholders values can sent through separate data channel (depending on adapter/driver) , might not appear in raw sql query itself.
however simple way think why placeholders safe, or how 'work' is:
when using placeholders adapter ensures equivalent of 'sql safe escape' , applicable quoting always used every bound text value - , impossible accidentally forget.
Comments
Post a Comment