I read all this thread so far, and many other articles as well.. and I still feel unsure about whether ActiveRecord or CI’s ‘Query Bindings’ are enough.
Many people just say to use prepared statements and be done with the argument. That is fine, but some of us for one reason or another cannot do that just yet.. and so we keep asking the question.
The question is how to reconcile this:
http://marc.info/?l=php-general&m=131603743606025&w=2
...with the idea that we CI devs are safe using ActiveRecord or query binding.
AFAICT, after my research, is that it comes down to this:
SO FAR no one knows how to hack (SQL inject) past these 2 security measures, BUT it could certainly be that someone WILL eventually find a way in this endless (and burdensome) game of hackers -vs.- security hole patchers.
1.)
From here:
http://stackoverflow.com/questions/4985672/pdo-in-codeigniter-protect-vs-sql-injection
“...According the the page you referenced, the Active Record class uses mysql_ functions for string-escaping. That means it’s still building SQL strings up in PHP-land instead of using parametrized APIs into the database. While it may be free of known defects right now, it is still a better idea to use an API that follows a more secure design…”
2.)
..and from here:
http://daniel.carrera.name/2009/01/comparison-of-php-frameworks-part-i/
(the ‘SQL injection attacks’ section)
“...Chris Shiflett shows
(here:
http://shiflett.org/blog/2006/jan/addslashes-versus-mysql-real-escape-string
) ...how to use a Chinese character to get an SQL injection through addslashes. How do we know that there isn’t some Tamil character that will get through mysql_real_escape_string?...”
It would be nice if true prepared statements (which did not rely on mysql_real_escape_string()) came out of the box with CI.
Please correct me if I am wrong.. being the relative newbie that i am with CI and PHP security.
-Govinda
