What is PDO, how is it related to SQL injection and why should I use it?
Actually I did google and got so many results, but I cannot figure it out because I am new to this field.
So what is the easy way, what is PDO, why should I use this, what is SQL injection, etc. with an example? 1
Actually my code is now like this.
config.php
<?php
$mysql_hostname = "localhost";
$mysql_user = "root";
$mysql_password = "";
$mysql_database = "testdb";
$prefix = "";
$bd = mysql_connect($mysql_hostname, $mysql_user, $mysql_password) or die("Could not connect database");
mysql_select_db($mysql_database, $bd) or die("Could not select database");
?>
insert.php
<?php
include('config.php');
$account_no = $_POST['account_no'];
$amount = $_POST['amount'];
$save = mysql_query("INSERT INTO tableamount (account_no, amount) VALUES ('$account_no', '$amount',)");
header("location: index.html");
exit();
?>
index.html
<html>
<body>
<form action="amount.php" method="post" enctype="multipart/form-data" name="addroom">
Account Number<br />
<input name="account_no" type="text"/><br />
Amount<br />
<input name="amount" type="text"/><br />
<input type="submit" name="Submit" value="Submit" id="button1" />
</form>
</body>
</html>
source to share
PDO - PHP Data Objects is a database access layer that provides a single method of accessing multiple databases.
It doesn't take into account database-specific syntax, but can make the process of switching databases and platforms pretty painless by simply switching the connection string in many cases.
Prepared statements / parameterized queries are sufficient to prevent first order injection into this statement. If you use uncontrolled dynamic SQL elsewhere in your application, you are still vulnerable to second order injection.
Second-order injection data was looped through the database once before being included in the query, and it's much more difficult to make it. AFAIK, you almost never see true second-order attacks as it is usually easier to do social engineering.
PDO is slightly slower than mysql
_ *. But he has great mobility. PDO provides a single interface for multiple databases. This means you can use multiple databases without using mysql_query for mysql, mssql_query for SQL Server, etc. Just use something like $db->query("INSERT INTO...")
always. No matter what database driver you are using.
Thus, for a larger or portable PDO project is preferable. Even Zend Framework uses PDO.
SQL Injection
SQL Injection
SQL injection is a technique whereby malicious users can inject SQL commands into an SQL statement through the input of a web page.
Injected SQL commands can modify the SQL statement and compromise the security of the web application.
Are the prepared PDO statements sufficient to prevent SQL injection?
The short answer is NO, PDO prepares will not protect you from all possible SQL Injection attacks. Attacks
How do I use PDO?
Example:
$stmt = $dbh->prepare("SELECT * FROM tables WHERE names = :name");
$stmt->execute(array(':name' => $name));
Links
source to share
Just imagine this user input:, "1'); TRUNCATE TABLE accounts; --"
with your statement, if the user knows what db structure you have, you can easily remove everything from the db (assuming the db user has authority.
Never use user input directly in sql query like you did , always do evacuation / casting before use.
PDO - PHP Data Objects is a database access layer providing a single method of accessing multiple databases.
It does not take into account database-specific syntax, but can allow the process of switching databases and platforms to be fairly painless by simply switching the connection string in many cases.
Read this link , it explains why pdo should be used in php
source to share