Contents tagged with security
-
Using PDO::quote with Parameterized Queries
I spent some time last week investigating a puzzling issue raised in the SQL Server Driver for PHP forums: Need help with PDO::quote() and PDOStatement::bindValue and PDO::execute using new SQLSRVR 2.0 driver. At the heart of the issue was this question: Should you use the PDO::quote method to quote a parameter if you are also using the PDOStatement::bindValue or the PDOStatement::bindParam method to bind the parameter? My answer is no, you shouldn’t. I’ll explain why not, but I wonder if I’m potentially missing some use cases where it does make sense…I’d be very interested to learn those cases if I am.
-
Do Stored Procedures Protect Against SQL Injection?
When I’ve asked people about their strategies for preventing SQL injection, one response is sometimes “I use stored procedures.” But, stored procedures do not, by themselves, necessarily protect against SQL injection. The usefulness of a stored procedure as a protective measure has everything to do with how the stored procedure is written. Write a stored procedure one way, and you can prevent SQL Injection. Write it another way, and you are still vulnerable. This post will look at one common pitfall that can leave stored procedures vulnerable to SQL injection.