Organizational Research By

Surprising Reserch Topic

what is the pdo equivalent of mysql real escape string using -'php,mysql,pdo,sql-injection'


what is the pdo equivalent of mysql real escape string  using -'php,mysql,pdo,sql-injection'

asked Sep 8, 2015 by rajesh
0 votes
20 views



Related Hot Questions

3 Answers

0 votes
There is None! Which is why, instead we use what is called "a prepared statement", as it eliminates the need to sanitize the inputs in the first place. To understand how simple this is, take the following basic example. // First establish a PDO connection try { $db = new \PDO("mysql:host=localhost;dbname=xx;charset=utf8", "xx", "xx", []); } catch(\PDOException $e){ echo "Error connecting to mysql: ". $e->getMessage(); } // [ Optional ] pass some PDO attributes $db->setAttribute( PDO::ATTR_EMULATE_PREPARES => false, PDO::ATTR_ERRMODE => PDO::ERRMODE_EXCEPTION ); Now assuming your have no errors thrown from the above code, it should be fairly simple to carry on doing what you want. if($_POST && isset($_POST['name'])){ $stmt = $db->prepare("SELECT * FROM people WHERE name = ?"); $rows = $stmt->execute(array($_POST['name'])); var_dump($rows); } Now, as you can see I haven't used anything to escape/sanitize the $_POST["name"] array. That is what PDO allows you to do. It is worth noting that you should pass a charset=utf8" attribute, in your DSN as seen above, for security reasons, and always enable PDO to show errors in the form of exceptions. PDO::ATTR_ERRMODE => PDO::ERRMODE_EXCEPTION so errors from you database queries won't show sensitive data like you directories... Last but not least, there are moments when you should not trust PDO 100%, and you are bound to take extra measures to prevent sql injection, one of these cases is, if you are using an outdated versions of mysql [ mysql =< 5.3.6 ] as described in this answer but, using prepared statements as shown above will always be safer, than using any of the functions that start with mysql_ Good reads PDO Tutorial for MySQL Developers
answered Sep 8, 2015 by rajesh
0 votes
There is none*! The object of PDO is that you donâ
answered Sep 8, 2015 by rajesh
0 votes
$v = '"'.mysql_real_escape_string($v).'"'; is the equivalent of $v = $this->db->quote($v); be sure you have a PDO instance in $this->db so you can call the pdo method quote()
answered Sep 8, 2015 by rajesh

...