MySql injections when queries are done through procedures + few more questions

[next]

1) I was wondering if this is possible. I only saw a couple of injection examples and tried them out on a site that i'm practicing my PHP skills on and injections didn't work. Is there a way to inject in procedures? For instance let's say i have this login procedure:

DELIMITER $$
CREATE PROCEDURE `db`(IN user_name TEXT, IN pass TEXT)
   BEGIN
      INSERT INTO `db`(TRIM(user_name), TRIM(pass)) VALUES(user_name, pass);
   END$$
DELIMITER ;

i would call it from PHP like this:

$user_name = $_POST['user_name'];
$user_pass = $_POST['user_pass'];
mysql_query("CALL db($user_name, $user_pass)", $dbh);

 

What type of injections will work against this way of running queries?

 

2) Am i making a mistake when work with PDO instead of regular db modules? So far i was getting a bunch of headaches on Windows with PDO.

3) I prefer using MySQL to trim spaces, encrypt passwords and similar string operations, is this the right way or is PHP better at this? If yes, then what makes it better?

 

Thanks.

[BillyBoB]

I think you might be able to get an injection in there if you were good at guessing code.

 

My username is going to be: Bob

My password is going to be: 21); DROP TABLE `db`;

 

$user_name = $_POST['user_name'];
$user_pass = $_POST['user_pass'];
mysql_query("CALL db($user_name, $user_pass)", $dbh);

 

I don't know if that would work but if you were going to try it I wouldn't test drop table lol. I would test trying to update something.

[next]

I tried entring

' OR 1=1; --

  in my user name field, then i tried entering in password (which is useless thanks to encryption anyway), but neither one worked. I tried the same stuff on regular MySQL query and logged in with no issues.

I'll try to upload my login form to a free hosting later, so that maybe you'll have more success breaking it.

[next]

Ok, after some research i found out that injections are impossible in procedures.