Welcome to OGeek Q&A Community for programmer and developer-Open, Learning and Share
Welcome To Ask or Share your Answers For Others

Categories

0 votes
425 views
in Technique[技术] by (71.8m points)

php - PDO in Codeigniter - Protect vs SQL Injection

True PHP Security experts, is PDO the way to go or would I be ok with Codeigniter's Active Record class?

I have read http://codeigniter.com/forums/viewthread/179618/ and am not 100% convinced.
I usually lean on experts such as Chris Shiflett and OWASP for security tips. http://shiflett.org/blog/2006/jul/the-owasp-php-top-5

Been using a homebrewed PDO DB Class in place of the Codeigniter Database files. Everytime I upload it is a relatively small pain to copy over. The main reason I use PDO is to protect from SQL Injection vs using Active Record.

EDIT: NOT TO BE A SHILL but I wrote a post after the fact on how to integrate PDO in Codeigniter. If anyone has feedback, I would be happy to hear.

See Question&Answers more detail:os

与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
Welcome To Ask or Share your Answers For Others

1 Reply

0 votes
by (71.8m points)

Well, there is a general answer for all the questions of this kind:

It's not a wand, it's a wizard.

(dunno where did i get that saying, but it seems I'm only one using it, but most likely I misspelled it)

There is nothing good or bad in the technology itself.
Everything depends on the hands that using it.

  1. There is nothing insecure in mysql, if used properly.
  2. PDO is not a magical aegis that covers your backss from all dangers by it's presence only.

Every time i see lame talks of SQL injection, it's always about dynamic data only.
While most danger comes from other query parts - say, dynamical identifiers. Where PDO can do a little less than nothing to deal with them.

So, there cannot be certain answer.
You can use whatever technology you like, as long as you understand what are you doing.
And contrary, if you don't understand how it works but just believe that some technology doing your job of protecting your app, you're already in trouble.

That's it.


与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
OGeek|极客中国-欢迎来到极客的世界,一个免费开放的程序员编程交流平台!开放,进步,分享!让技术改变生活,让极客改变未来! Welcome to OGeek Q&A Community for programmer and developer-Open, Learning and Share
Click Here to Ask a Question

...