Jump to content

rechecking my PDO

Richard_Grant

By Richard_Grant
in PHP Coding Help

Recommended Posts

Richard_Grant Member

Richard_Grant

Posted
Posted

Okay i have a function


function p_d_o($options, $func){//$options is a multidimensional array

..Parse $option to strings..
//when echoed $query looks like this:

//$vars[":val_0", "14084"]; // this is the only value retrieved from $_POST or $_GET all other values are from PHP function calls
//SELECT RAND_CODE,USERNAME FROM table WHERE RAND_CODE LIKE :val_0 LIMIT 5";
     $query = $cols_ . ' FROM ' . $options["table"] . ' ' . $options["conditional"] . ' ' . (($options["limitted"])?  $cond_ . ' LIMIT ' . $options["limitted"] : "");
          $secure_mysqli = $con->prepare($query);

          $secure_mysqli->execute($vars); //vars contains :val_0
     while($item = $secure_mysqli->fetch(PDO::FETCH_ASSOC)){
          $func($query);
     }
}

My question is Should i be worried about the other parts of the query string that is not being binded? I was having issues binding table name and cols.

Link to comment
https://forums.phpfreaks.com/topic/290986-rechecking-my-pdo/
Share on other sites
Jacques1 Prolific Member

Jacques1

Posted
Posted

You indeed cannot pass identifiers like column or table names to a prepared statements, and that's indeed a problem.

 

There are basically two solutions: Either you avoid this scenario altogether, or you use a whitelist of acceptable identifiers. Theoretically, you might also try a kind of generic validation so that you can use entirely dynamic queries (which seems to be your goal). But this is risky and fragile, so I'd avoid it at all cost. Even the big database frameworks shy away from this.

Link to comment
https://forums.phpfreaks.com/topic/290986-rechecking-my-pdo/#findComment-1490694
Share on other sites
Richard_Grant Member

Richard_Grant

Posted
  • Author
Posted

You indeed cannot pass identifiers like column or table names to a prepared statements, and that's indeed a problem.

 

There are basically two solutions: Either you avoid this scenario altogether, or you use a whitelist of acceptable identifiers. Theoretically, you might also try a kind of generic validation so that you can use entirely dynamic queries (which seems to be your goal). But this is risky and fragile, so I'd avoid it at all cost. Even the big database frameworks shy away from this.

 

Would you scold me for using mysqli_real_escape_string ? (if it would even let me use my pdo connection as the connection variable)

Link to comment
https://forums.phpfreaks.com/topic/290986-rechecking-my-pdo/#findComment-1490696
Share on other sites
Jacques1 Prolific Member

Jacques1

Posted
Posted

Would you scold me for using mysqli_real_escape_string ?

 

You mean for identifiers? This doesn't work. mysqli_real_escape_string() only works within quoted string values. It only prevents users from “breaking out” of the quoted expression. If there are no quotes, the whole function is useless.

 

By the way, the PDO equivalent of mysqli_real_escape_string() is PDO::quote().

Link to comment
https://forums.phpfreaks.com/topic/290986-rechecking-my-pdo/#findComment-1490699
Share on other sites
Richard_Grant Member

Richard_Grant

Posted
  • Author
Posted

You mean for identifiers? This doesn't work. mysqli_real_escape_string() only works within quoted string values. It only prevents users from “breaking out” of the quoted expression. If there are no quotes, the whole function is useless.

 

By the way, the PDO equivalent of mysqli_real_escape_string() is PDO::quote().

 

My table name and col are passed in as a string parameter so PDO::quote should work just fine for me

Link to comment
https://forums.phpfreaks.com/topic/290986-rechecking-my-pdo/#findComment-1490703
Share on other sites
Jacques1 Prolific Member

Jacques1

Posted
Posted

I think this is a misunderstanding. If you put the table name into an SQL string, you'll get a syntax error:

SELECT * FROM 'this_is_invalid';

Identifiers are not strings, so you cannot use PDO::quote().

 

Like I said, there's no easy solution. In fact, it's impossible to prevent SQL injections with the function itself, because you want it to accept complete SQL clauses (like the WHERE clause). Your only chance is to carefully validate all input before you pass it to the function.

 

You should also consider using professional database frameworks like Doctrine. They don't entirely solve the problem either, but they're more mature and easier to control.

Link to comment
https://forums.phpfreaks.com/topic/290986-rechecking-my-pdo/#findComment-1490704
Share on other sites
Richard_Grant Member

Richard_Grant

Posted
  • Author
Posted

I think this is a misunderstanding. If you put the table name into an SQL string, you'll get a syntax error:

SELECT * FROM 'this_is_invalid';

Identifiers are not strings, so you cannot use PDO::quote().

 

Like I said, there's no easy solution. In fact, it's impossible to prevent SQL injections with the function itself, because you want it to accept complete SQL clauses (like the WHERE clause). Your only chance is to carefully validate all input before you pass it to the function.

 

You should also consider using professional database frameworks like Doctrine. They don't entirely solve the problem either, but they're more mature and easier to control.

 

. Its really spaghetti and if i didn't spend hours setting up my server to use PDO i would switch to mysqli

Link to comment
https://forums.phpfreaks.com/topic/290986-rechecking-my-pdo/#findComment-1490707
Share on other sites

Archived

This topic is now archived and is closed to further replies.

Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.