Thread

I’m not an expert, so that’s why I’m asking.

Why don’t CI’s database functions use PDO?  I did some research on database security, and over and over read that the best way to fortify the database is to use parameterization.

Ok, besides the theoretical why, should I implement PDO in my site, or can I trust CI’s security?

If you use active record or query binding you are safe since CI uses mysql_real_escape_string() to guard against sql injection. Parameterized queries are similar to CI’s query bindings. The advantage to parameterized queries on databases that support them is speed when executing the same query but with different data multiple times. Think multiple inserts. PDO supports parameterized queries on databases that support them, but PDO can also emulate parameterized queries which is the same thing as CI’s query binding.

Have a look at http://www.phpactiverecord.org/

Thanks JonoB, PHP Active Record looks awesome.

Rick Jolly, I understand that it does, but this site and others like it are what led me to think that that wasn’t good enough.

http://bobby-tables.com/

There is only one way to avoid [injection] attacks

  * Do not create SQL statements that include outside data.
  * Use parameterized SQL calls.

That’s it. Don’t try to escape invalid characters. Don’t try to do it yourself. Learn how to use parameterized statements. Always, every single time.

The strip gets one thing crucially wrong. The answer is not to “sanitize your database inputs” yourself. It is prone to error.

ispod, rest assured that mysql_real_escape_string() is completely safe. If it wasn’t, most php applications would be vulnerable to sql injection attack.

Of course, we developers can screw anything up when we don’t know what we are doing.

Ok, thank you, that’s great to know!  I’m satisfied with DMZ and glad to not have to change ORM’s for security reasons.

Its a good question ! Why there are plenty of files for the DB instead of use the fast and very very simple to use ....

All the time I do a new CI projet, I remove all the DB files and add my small PDO wrapper ...

Its a good question ! Why there are plenty of files for the DB instead of use the fast and very very simple to use ....

All the time I do a new CI projet, I remove all the DB files and add my small PDO wrapper ...

could you share your PDO wrapper ?

thinking about using Pdo in new project so would like to know if exists any PDO library/driver for CI 2.x or have to create my own from the scratch ?

was trying to find but i cant :\

I don’t understand why’d you use the PDO. CI protects you. But you know, there is a filter system in CI too. And you can always use PHP’s Sanitize Filters as well.

Thanks JonoB, PHP Active Record looks awesome.

Rick Jolly, I understand that it does, but this site and others like it are what led me to think that that wasn’t good enough.

http://bobby-tables.com/

There is only one way to avoid [injection] attacks

  * Do not create SQL statements that include outside data.
  * Use parameterized SQL calls.

That’s it. Don’t try to escape invalid characters. Don’t try to do it yourself. Learn how to use parameterized statements. Always, every single time.

The strip gets one thing crucially wrong. The answer is not to “sanitize your database inputs” yourself. It is prone to error.

With the PDO you can bind your vars/fields. But you dont have to. It’s extra work especially with big forms. But it is worth the time. But you still should sanitize your data. PHP provides some nice tools for that (there’s a link in my post above).

It is not hard to protect your site from a SQL Injection attack. You just can’t be lazy. Every form, every page a user can type data must be sanitized.

And CI does it all for you, if you want. Easy peasy.

I don’t understand why’d you use the PDO. CI protects you. But you know, there is a filter system in CI too. And you can always use PHP’s Sanitize Filters as well.

exists small thing - customer wants PDO to be used - this should be the answer to the WHY 😊

I don’t understand why’d you use the PDO. CI protects you. But you know, there is a filter system in CI too. And you can always use PHP’s Sanitize Filters as well.

exists small thing - customer wants PDO to be used - this should be the answer to the WHY 😊

Ok. Good enough for me. 😉

exists small thing - customer wants PDO to be used - this should be the answer to the WHY 😊

Customer has no clue what PDO is.

Besides if you want PDO then write a driver for it and the database stuff!

InsiteFX