While the PDO documentation suggests that preparing statements eliminates the need for manual parameter quoting, the answer is a nuanced "yes." PDO emulates prepared statements for MySQL by default, and this emulation can sometimes create exploitable vulnerabilities.
The potential vulnerability arises when the connection encoding involves specific vulnerable character sets (e.g., gbk, cp932) and the following conditions are met:
In such cases, an attacker can craft a payload that contains an invalid multibyte character and exploit the discrepancy between the expected character set on the client and the actual character set of the connection. This allows them to inject an unquoted character into the generated query string, leading to potential SQL injections.
Prevention:
Mitigation:
The following code snippets illustrate safe practices:
// PDO without emulated prepares $pdo->setAttribute(PDO::ATTR_EMULATE_PREPARES, false); $stmt = $pdo->prepare('SELECT * FROM test WHERE name = ? LIMIT 1'); $stmt->execute(array("xbf' OR 1=1 /*")); // PDO with DSN charset parameter $pdo = new PDO('mysql:host=localhost;dbname=testdb;charset=gbk', $user, $password); $stmt = $pdo->prepare('SELECT * FROM test WHERE name = ? LIMIT 1'); $stmt->execute(array("xbf' OR 1=1 /*")); // MySQLi (always uses true prepared statements) $mysqli->query('SET NAMES gbk'); $stmt = $mysqli->prepare('SELECT * FROM test WHERE name = ? LIMIT 1'); $param = "xbf' OR 1=1 /*"; $stmt->bind_param('s', $param); $stmt->execute();
PDO prepared statements can effectively prevent SQL injections when used properly and in conjunction with secure practices. It's crucial to avoid vulnerable encoding, disable emulated prepares, or enable NO_BACKSLASH_ESCAPES mode to mitigate potential vulnerabilities.
The above is the detailed content of Are PDO Prepared Statements Truly Safe from SQL Injection Attacks?. For more information, please follow other related articles on the PHP Chinese website!