Was thinking about it for a while today...is PDO with prepared statements realy enough protection against SQL-injections?

I've been looking it over quite a bit lately. I might be wrong, but I think that it's only injection-safe if you use prepared statements with parameters. PDO->query() isn't injection-safe and I don't think the prepared statements are either without parameters. They also recommend not using PDO->quote() to build your queries.

with parameters I guess u meen

PHP Code:

$do->bindParam(':user', $this->username, PDO::PARAM_STR); 


Yep, or the ? variety as well.

I would suggest sanitizing data no matter what. There are some threads here if you search for "sql injection" which will guide you.

Quote:

Originally Posted by JeremyMiller

I would suggest sanitizing data no matter what. There are some threads here if you search for "sql injection" which will guide you.

How would you recommend doing that without having a database specific method of escaping data? There's PDO->quote(), but the manual says it isn't recommended for building queries and I think it also says that it doesn't work for the ODBC driver.

Depends on the data being sanitized. For example, if it's usernames, I only allow letters, numbers, underscores, and dashes, so the data could be sanitized like this (for inserting):

PHP Code:

$username_sanitized = preg_replace('/[^a-z0-9\-\_]/i','',$_POST['username']); 


For selecting, you'd need to escape the _ character (don't know if that's specific to MySQL or not) like this:

PHP Code:

$username_sanitized = preg_replace('/[^a-z0-9\-\_]/i','',$_POST['username']);
$username_sanitized = str_replace('_','\_',$username_sanitized); 


I have to admit, however, that I make all of my stuff specific to MySQL b/c generalizing too much reduces the total amount of query types available to you and I like the optimization which can be applied by using everything available to MySQL.