On Mon, Aug 17, 2009 at 10:10:47PM +0300, Dotan Cohen wrote:

> >> Logically, it does _not_ mean the same thing.
> >
> > Definitely not -- it would be a bit presumptuous to claim "If you do
> > X, the query is not vulnerable to SQL injection attacks" for just
> > about any value of X.
> >
> That is what I though: no magic bullet.
> > That said, I would recommend binding parameters if you can. It's a
> > cleaner way of separating the logic of a query from its data, and
> > theoretically more reliable than mysql_real_escape_string():
> >
> > http://en.wikipedia.org/wiki/SQL_injection#Parameterized_statements
> >
> I fail to understand what is happening here. For the sake of context,
> here is the PHP code in TFA:
> $db = new PDO('pgsql:dbname=database');
> $stmt = $db->prepare("SELECT priv FROM testUsers WHERE
> username=:username AND password=:password");
> $stmt->bindParam(':username', $user);
> $stmt->bindParam(':password', $pass);
> $stmt->execute();
> What exactly does bindParam do? I read these pages in TFM but I still
> do not understand what exactly is being sent to the database:
> http://il2.php.net/manual/en/function.db2-bind-param.php
> http://il2.php.net/manual/en/function.maxdb-stmt-bind-param.php
> http://il2.php.net/manual/en/mysqli-stmt.bind-param.php
> I do not see how there could possibly be a prepared statement for a
> user comment. I am not a programmer by trade, so I may be missing
> something obvious. If so, a link and a friendly RTFM would be great.

Typically, prepared statements do a couple of things. First, they ensure
that values sent to the DBMS are properly "quoted". You'd be surprised
how difficult a problem that is. Date and string values must be
surrounded by quotes, but numerics shouldn't be. And how they're quoted
depends on the DBMS you're using. So prepared statements take care of
this for you.

The second thing they do is examine the values you're attempting to pass
into the database, and ensure they don't contain SQL injection type
code. This is hard to explain, but it's relatively simple to insert
"code" in place of an actual value, and do malicious things to your
database, or obtain information you don't want users to see (like credit
card numbers). If you're curious, search for "SQL injection" to get more
information and see examples.

When you put something like "username = :username" in the arguments for
the prepare() function, the second parameter (:username) is really just
a placeholder for a value. It tells MySQL that this is where you want a
username to go in the final statement. The bindParam() function tells
MySQL the actual value you want to substitute for that placeholder. In
your case, it's a PHP variable named $user. When you call the execute()
function, it puts the values together with their placeholders, forms a
complete statement, and sends that off to the MySQL database engine.

I haven't followed this thread, so I don't know what you mean by, "I
do not see how there could possibly be a prepared statement for a user
comment." Maybe someone else can answer that part of your query.


Paul M. Foster

PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Reply via email to