-4

I have google and searched for sanitization the user posted data and found lot of examples and functions but i haven't find yet any solution which help me to resolve my confusion.

My question is that what is basically done in the following php mysqli built-in function:

  // Sanitize. example:
  $x = mysqli_real_escape_string($con, $posted_val));

is there any built-in function in PDO or in core php to sanitize the user posted data with?

I have tried to use my own function to sanitize the input by replacing the possible exploitable code and then return the result but I hope there may be some built-in function exits in PDO too? or I may be wrong...

halfer
  • 19,824
  • 17
  • 99
  • 186
Abdul Rahman
  • 1,669
  • 4
  • 24
  • 39
  • 1
    Does this answer your question? [function to sanitize input to Mysql database](https://stackoverflow.com/questions/9144414/function-to-sanitize-input-to-mysql-database) – Kaleb W Apr 10 '20 at 18:42
  • Does this answer your question? [PHP PDO prepared statements](https://stackoverflow.com/questions/1457131/php-pdo-prepared-statements) – El_Vanja Apr 10 '20 at 18:43
  • You could also use `mysqli` [prepared statements](https://www.php.net/manual/en/mysqli.quickstart.prepared-statements.php) if you want to stick to that extension. – El_Vanja Apr 10 '20 at 18:55
  • 3
    You don't need to sanitize when you use prepared statements. – Barmar Apr 10 '20 at 18:59
  • @Barmar, ok i got it. you are right i was forgetting about the prepared statements... – Abdul Rahman Apr 10 '20 at 19:01
  • Can you share more details? In the title, you have mentioned "kali" which "injects" something - what does that mean? – Nico Haase Apr 10 '20 at 19:25
  • 1
    There is no such thing as input sanitization. – Dharman Apr 10 '20 at 20:11
  • @NicoHaase kali linux has some very nice tools through which a one can test web applications for sql injetcions like Sqlmap and others... – Abdul Rahman Apr 10 '20 at 20:50

1 Answers1

-1

Basically with using PDO you need just parameterize your data to prevent SQL injections. Without parameterizing your database will be still available for injections. The sanitization you can implement by yourself before passing values into SQL statement

Simple example of parameterized PDO statement:

<?php
// Connecting to database with values defined in 'database.php'
include_once 'database.php';

$db = new PDO($DB_DSN, $DB_USER, $DB_PASSWORD);
$db->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);

// Function that takes SQL statement and parameters for it
function query($sql, $params = []) {

    $stmt = $db->prepare($sql);

    // Simple preparing and binding parameters to PDO::prepare()
    if (!empty($params)) {
        foreach ($params as $key => $val) {
            if (is_int($val)) {
                $type = PDO::PARAM_INT;
            } elseif (is_bool($val)) {
                $type = PDO::PARAM_BOOL;
            } else {
                $type = PDO::PARAM_STR;
            }
            $stmt->bindValue(':'.$key, $val, $type);
        }
    }

    // Executing SQL
    $stmt->execute();
    return $stmt;
}

// I declare here simple variables that I'm usually getting from AJAX POST method
$id = "1";
$email = "[email protected]";

// SQL statement
$sql = 'SELECT * FROM `users` WHERE id = :id AND email = :email LIMIT 1';
// Parameters that will pass
$params = ['id' => $id, 'email' => $email];

// Executing SQL and saving return in variable
$result = query($sql, $params);

// Returning result
return $result;

So with such practice hacker won't be allowed to see any other data except that are passed into variables and couldn't make injection in it

Further readings:

znatno
  • 93
  • 9
  • Good advice, but why are you guessing the type of the params? – Dharman Apr 10 '20 at 20:32
  • @Dharman I had experience that by default bool variable will not be assigned to statement correctly and getting error. Do you know better solution for data_type? I'm new in PHP coding – znatno Apr 10 '20 at 20:35
  • 1
    What do you mean? What kind of scenario did not work for you? Either way, guessing the type automatically can only do more harm than good. Just pass everything as a string in execute. – Dharman Apr 10 '20 at 20:41
  • @znatno, in fact, i am using the code in the same way like you but i missed one thing you did in your code and that is to check the param type, i liked your way and will also use in future in sha Allah because it is a good way to keep the param type as well. – Abdul Rahman Apr 10 '20 at 20:48
  • @Dharman well, if I pass some value that is set but equals (bool)false it will be an empty string that will occurs an error – znatno Apr 10 '20 at 20:49
  • Why do you get an error? This is an XY problem. MySQL doesn't have a bool type. You can cast a boolean value to an int if you expect the familiar 0/1 value, but that doesn't mean that you should automatically guess the type. In rare cases, you could mangle your data if you do it like this. – Dharman Apr 10 '20 at 20:53