I’m not an expert, so that’s why I’m asking.

Why don’t CI’s database functions use PDO?  I did some research on database security, and over and over read that the best way to fortify the database is to use parameterization.

Ok, besides the theoretical why, should I implement PDO in my site, or can I trust CI’s security?

If you use active record or query binding you are safe since CI uses mysql_real_escape_string() to guard against sql injection. Parameterized queries are similar to CI’s query bindings. The advantage to parameterized queries on databases that support them is speed when executing the same query but with different data multiple times. Think multiple inserts. PDO supports parameterized queries on databases that support them, but PDO can also emulate parameterized queries which is the same thing as CI’s query binding.

Have a look at http://www.phpactiverecord.org/

Thanks JonoB, PHP Active Record looks awesome.

Rick Jolly, I understand that it does, but this site and others like it are what led me to think that that wasn’t good enough.

http://bobby-tables.com/

There is only one way to avoid [injection] attacks

  * Do not create SQL statements that include outside data.
  * Use parameterized SQL calls.

That’s it. Don’t try to escape invalid characters. Don’t try to do it yourself. Learn how to use parameterized statements. Always, every single time.

The strip gets one thing crucially wrong. The answer is not to “sanitize your database inputs” yourself. It is prone to error.

ispod, rest assured that mysql_real_escape_string() is completely safe. If it wasn’t, most php applications would be vulnerable to sql injection attack.

Of course, we developers can screw anything up when we don’t know what we are doing.

Ok, thank you, that’s great to know!  I’m satisfied with DMZ and glad to not have to change ORM’s for security reasons.

Its a good question ! Why there are plenty of files for the DB instead of use the fast and very very simple to use ....

All the time I do a new CI projet, I remove all the DB files and add my small PDO wrapper ...

eBuildy - 08 February 2011 12:42 PM

Its a good question ! Why there are plenty of files for the DB instead of use the fast and very very simple to use ....

All the time I do a new CI projet, I remove all the DB files and add my small PDO wrapper ...

could you share your PDO wrapper ?

thinking about using Pdo in new project so would like to know if exists any PDO library/driver for CI 2.x or have to create my own from the scratch ?

was trying to find but i cant :\

I don’t understand why’d you use the PDO. CI protects you. But you know, there is a filter system in CI too. And you can always use PHP’s Sanitize Filters as well.

ipsod - 05 February 2011 11:28 PM

Thanks JonoB, PHP Active Record looks awesome.

Rick Jolly, I understand that it does, but this site and others like it are what led me to think that that wasn’t good enough.

http://bobby-tables.com/

There is only one way to avoid [injection] attacks

  * Do not create SQL statements that include outside data.
  * Use parameterized SQL calls.

That’s it. Don’t try to escape invalid characters. Don’t try to do it yourself. Learn how to use parameterized statements. Always, every single time.

The strip gets one thing crucially wrong. The answer is not to “sanitize your database inputs” yourself. It is prone to error.

With the PDO you can bind your vars/fields. But you dont have to. It’s extra work especially with big forms. But it is worth the time. But you still should sanitize your data. PHP provides some nice tools for that (there’s a link in my post above).

It is not hard to protect your site from a SQL Injection attack. You just can’t be lazy. Every form, every page a user can type data must be sanitized.

And CI does it all for you, if you want. Easy peasy.

Crag - 23 April 2011 07:31 AM

I don’t understand why’d you use the PDO. CI protects you. But you know, there is a filter system in CI too. And you can always use PHP’s Sanitize Filters as well.

exists small thing - customer wants PDO to be used - this should be the answer to the WHY

EugeneS - 23 April 2011 08:39 AM

Crag - 23 April 2011 07:31 AM

I don’t understand why’d you use the PDO. CI protects you. But you know, there is a filter system in CI too. And you can always use PHP’s Sanitize Filters as well.

exists small thing - customer wants PDO to be used - this should be the answer to the WHY

Ok. Good enough for me.

EugeneS - 23 April 2011 08:39 AM

exists small thing - customer wants PDO to be used - this should be the answer to the WHY

Customer has no clue what PDO is.

Besides if you want PDO then write a driver for it and the database stuff!

InsiteFX

Rick Jolly - 06 February 2011 02:43 AM

ispod, rest assured that mysql_real_escape_string() is completely safe. If it wasn’t, most php applications would be vulnerable to sql injection attack.

Of course, we developers can screw anything up when we don’t know what we are doing.

I’m sorry, but this is bad advice. Parameterization is much safer than escaping query strings. Abstraction and security are the main reasons for the use of PDO. Performance is nothing but a side effect. If you want to improve query performance, you use sensible indexes and stored procedures (and beyond that sharding, clustering, etc.)

mysql_real_escape_string does very little to prevent injection attacks.