0

Actually I did google and got so many results, but I can't understand, because I'm new in this field.

So what is an easy way that what is PDO, why I should use this, what is SQL injection, etc. with an example?1

Actually now my code is like that.

config.php

<?php
    $mysql_hostname = "localhost";
    $mysql_user = "root";
    $mysql_password = "";
    $mysql_database = "testdb";
    $prefix = "";
    $bd = mysql_connect($mysql_hostname, $mysql_user, $mysql_password) or die("Could not connect database");
    mysql_select_db($mysql_database, $bd) or die("Could not select database");
?>

insert.php

<?php
    include('config.php');
    $account_no = $_POST['account_no'];
    $amount = $_POST['amount'];
    $save = mysql_query("INSERT INTO tableamount (account_no, amount) VALUES ('$account_no', '$amount',)");
    header("location: index.html");
    exit();
?>

index.html

<html>
    <body>
        <form action="amount.php" method="post" enctype="multipart/form-data" name="addroom">
            Account Number<br />
            <input name="account_no" type="text"/><br />

            Amount<br />
            <input name="amount" type="text"/><br />

            <input type="submit" name="Submit" value="Submit" id="button1" />
        </form>
    </body>
</html>
Peter Mortensen
  • 30,738
  • 21
  • 105
  • 131
UDAY
  • 21
  • 4

2 Answers2

3

PDO - PHP Data Objects is a database access layer providing a uniform method of access to multiple databases.

It doesn't account for database-specific syntax, but it can allow for the process of switching databases and platforms to be fairly painless, simply by switching the connection string in many instances.

Enter image description here

Prepared statements / parameterized queries are sufficient to prevent first-order injection on that statement. If you use un-checked dynamic SQL anywhere else in your application you are still vulnerable to second-order injection.

Second-order injection means data has been cycled through the database once before being included in a query, and is much harder to pull off. AFAIK, you almost never see real second-order attacks, as it is usually easier to social-engineer your way in.

PDO is a bit slower than the mysql_*. But it has great portability. PDO provides single interface across multiple databases. That means you can use multiple DB without using mysql_query for mysql, mssql_query for SQL Server, etc. Just use something like $db->query("INSERT INTO...") always. No matter what database driver you are using.

So, for larger or portable project PDO is preferable. Even Zend Framework uses PDO.

SQL Injection

SQL Injection

SQL injection is a technique where malicious users can inject SQL commands into an SQL statement, via web page input.

Injected SQL commands can alter SQL statement and compromise the security of a web application.

Are PDO prepared statements sufficient to prevent SQL injection?

The short answer is NO, PDO prepares will not defend you from all possible SQL-Injection attacks. Attacks example

How to use PDO?

An example:

$stmt = $dbh->prepare("SELECT * FROM tables WHERE names = :name");
$stmt->execute(array(':name' => $name));

References

Peter Mortensen
  • 30,738
  • 21
  • 105
  • 131
Tushar Gupta
  • 15,504
  • 1
  • 29
  • 47
0

Simply imagine this user input: "1'); TRUNCATE TABLE accounts; --", with your statement, if the user know what db structure you have, can easily drop everything from the db (assuming the db user have the authorizations.

Never use the user input directly in a sql query as you've done, always escape/cast before use.

PDO - PHP Data Objects - is a database access layer providing a uniform method of access to multiple databases.

It doesn't account for database-specific syntax, but can allow for the process of switching databases and platforms to be fairly painless, simply by switching the connection string in many instances.

Please read this link carefully, it explains why pdo should be used in php

kitensei
  • 2,510
  • 2
  • 42
  • 68