2
underlined textHello, I am studying PHP and, regarding POO together with PDO, I have the following question: I always see in the articles in this regard, that making use of the PDO statement:prepare helps hinder or even "prevent" the dangerous SQL Injection s (this practice we call Prepared Statements or Prepared Declensions) because, as they explain there, if the system is linking the SQL query to the variables searched for in an input form, which favors the SQL injections, then by using the prepare, the SQL statement would no longer be vulnerable because first the program makes a temporary declaration, using the operator ":Identifier" in SELECT, then, by the execute method, inform an array or an object, which value of the variable that prepares it waits to be replaced by ":Dentifier", and finally, execute the SQL statement. I ask: if the value placed to fill the ":Dentifier" expected by prepare is also a value coming from a "$_GET" or "$_POST", for example, admitted in the form by the user, this does not make the SQL statement, rotated in the execute method, also vulnerable? I still can’t understand the difference between running the instruction with or without prepare, the content of the variable put in the ":Dentifier" of the prepare will be filled by what the user informs! Or will we change the user input somehow and I did not understand how this occurs? I’m sorry if it seems like a very beginner question and/or even an easy answer (maybe it’s a speck in my eyes, not to see the obvious), but it is that in the articles I read do not explain exactly how the prepare takes the risk of an SQL injection (as changes the text delivered by the user).
Basically because a value is passed. In the case of SQL concatenated "at hand", the string is interpreted as SQL, not as value.
– Bacco
In other words, it does not need to change the text, precisely because at that moment it is only a value, SQL has already been processed before the value is used. But this in native Engines, like Mysqli. PDO actually in many cases concatenates the string and only filters the data (depends on the configuration). Before it was only simulated by default, I do not know if today have done better thing.
– Bacco
Bacco, I understood that the PDO (mysqli also) takes the [value] of the variable and not of the [string] itself, but my doubt is precisely, when it takes a value that is a text, for example: 1); DROP TABLE xxx; then, this value, which is text, will be added to the query statement, and it is this point that I do not understand how I would fail to form a malicious text?
– Fernandes
It’s okay for the text to be malicious if it won’t run. When you pass a value, the query has already been read and interpreted. What is "command" has already been converted into instructions. The "malicious" text will be passed to the SQL server only after this interpretation phase, and will be a mere text. And the PDO doesn’t do what you’re talking about, except under certain conditions. See the answers to the other linked question above, which has details about this.
– Bacco