php - Escaping while using PDO -


i love using pdo in php don't bind because there addition of codes etc.. cannot ignore sql injection , other security holes.

i use php wrapper class php pdo wrapper class

i heard escaping prevents sql injection (is correct)?

i heard doing html special chars don't prevent sql injection?

can way escape data post ?

for example use insert in database using run statement (using php wrapper class)

$firstname=$_post["first_name"]; , many more variables  global $db;  $db->run(sprintf("insert users (usergroup, useremail, username, usertoken, userfirstname, userlastname, userpassword, verified, signupdate, userip) values ('1', '%s', '%s', '%s', '%s', '%s', '%s', 'y', '%s', '%s')", $email, $username, md5(time()*rand(1, 9999)),$firstname, $lastname, $password, time(),$_server[remote_addr]));

is above code vulnerable sql injection , there security holes

you talking here 2 kinds of injection :

  1. sql injection, use special characters " or ' modify request being executed. can avoided escaping values in request, or preparing statements (see here complete explanation).
  2. html injection, use variables displayed in html inject code directly page. can avoided using htmlspecialchars, , has nothing sql injection.

you can't use htmlspecialchars prevent sql injection. simpler way prepare statements (see here). if don't it, there not code added , it's secure way it.

you can use pdo::quote (see doc here). request is vulnerable, can use quote function on each parameter secure it. tend find more verbose (compared preparing , binding), code.

i read library page, , didn't found documentation helpful, read code , found literally extends pdo, can use quote function pdo (or preparing, binding, etc).


Comments

Post a Comment

Popular posts from this blog

commonjs - How to write a typescript definition file for a node module that exports a function? -

consider, toml node module can use: // toml.d.ts declare module toml { export function parse(value:string):any; } declare module "toml" { export = toml; } then: /// <reference path="../../../../../defs/toml/toml.d.ts"/> import toml = require('toml'); toml.parse(...); however, node module export single function, such 'glob' ( https://github.com/isaacs/node-glob ). the node usage of module be: var glob = require("glob") glob("*.js", {}, callback(err, files) { ... }); you'd naively expect this: // glob.d.ts declare function globs(paths:string, options:any, callback:{(err:any, files:string[]):void; ...but because typescripts 'import' semantics bit strange, seems can use 'import .. = require()' statement alias modules . trying call: /// <reference path="../../../../../defs/glob/glob.d.ts"/> import blog = require('glob'); results in: error ts2072: mod...
Read more

openid - Okta: Failed to get authorization code through API call -

i'm integrating okta own idp server using okta's api. i'm implementing authorization code flow following steps below: in own server, use /api/v1/authn endpoint sessiontoken. use sessiontoken obtain authorization calling endpoint: /oauth2/v1/authorize?client_id=" + clientid + "&sessiontoken=" + sessiontoken + "&response_type=code&response_mode=query&scope=openid&redirect_uri=" + redirecturl + "&state=evanyang&nonce=" it's supposed return response status code 302 , location header containing redirect url code value. however, keep getting response status code 200 , without location header, html body saying "you using unsupported browser." , "javascript disabled on browser." according api documentation: http://developer.okta.com/docs/api/resources/oidc.html#authentication-request , sessiontoken parameter sufficient this: an okta one-time sessiontoken. allows api-based ...
Read more

ios - Change Storyboard View using Seague -

i have following code checks connection server, , depending on want change views if no connection found. nsstring *connect = [nsstring stringwithcontentsofurl:[nsurl urlwithstring:@"http://myserver.com"] encoding:nsutf8stringencoding error:nil]; if (connect == null) { [self performseguewithidentifier:@"network_failure" sender:self]; } else { // other code here } my problem not change views. have added storyboard segue between 2 views identifier of network_failure . not have navigation controller or that, problem? thanks help! no not problem. first of all, in objectivec exists nil object oriented null . must use that. so: if(connect == nil) or better: if(!connect) so due fact nil not same of null , probably code does't enter in if scope . you have been able discover breakpoint. anyway: be sure set trigger segue (line) 2 view controller , , name network_failure (that not best name. should instead view1toview2 ) as, m...
Read more