Thread

ispod, rest assured that mysql_real_escape_string() is completely safe. If it wasn’t, most php applications would be vulnerable to sql injection attack.

Of course, we developers can screw anything up when we don’t know what we are doing.

I’m sorry, but this is bad advice. Parameterization is much safer than escaping query strings. Abstraction and security are the main reasons for the use of PDO. Performance is nothing but a side effect. If you want to improve query performance, you use sensible indexes and stored procedures (and beyond that sharding, clustering, etc.)

mysql_real_escape_string does very little to prevent injection attacks.

mysql_real_escape_string does very little to prevent injection attacks.

Orly?

Example/proof please. Else just about ANY PHP Open Source Project (that I know of) including Drupal, Wordpress, Joomla, Magento and any other you can name have some serious bugfixing to do.

I read all this thread so far, and many other articles as well.. and I still feel unsure about whether ActiveRecord or CI’s ‘Query Bindings’ are enough.
Many people just say to use prepared statements and be done with the argument.  That is fine, but some of us for one reason or another cannot do that just yet.. and so we keep asking the question.

The question is how to reconcile this:
http://marc.info/?l=php-general&m=131603743606025&w=2
...with the idea that we CI devs are safe using ActiveRecord or query binding.

AFAICT, after my research, is that it comes down to this:

SO FAR no one knows how to hack (SQL inject) past these 2 security measures, BUT it could certainly be that someone WILL eventually find a way in this endless (and burdensome) game of hackers -vs.- security hole patchers.

1.)
From here:
http://stackoverflow.com/questions/4985672/pdo-in-codeigniter-protect-vs-sql-injection

“...According the the page you referenced, the Active Record class uses mysql_ functions for string-escaping. That means it’s still building SQL strings up in PHP-land instead of using parametrized APIs into the database. While it may be free of known defects right now, it is still a better idea to use an API that follows a more secure design…”

2.)
..and from here:
http://daniel.carrera.name/2009/01/comparison-of-php-frameworks-part-i/
(the ‘SQL injection attacks’ section)

“...Chris Shiflett shows
(here:
http://shiflett.org/blog/2006/jan/addslashes-versus-mysql-real-escape-string
) ...how to use a Chinese character to get an SQL injection through addslashes. How do we know that there isn’t some Tamil character that will get through mysql_real_escape_string?...”

It would be nice if true prepared statements (which did not rely on mysql_real_escape_string()) came out of the box with CI.

Please correct me if I am wrong.. being the relative newbie that i am with CI and PHP security.
-Govinda

PDO will be in CI very soon. https://github.com/EllisLab/CodeIgniter/pull/282

Yeah, now if there was some decent documentation on how to get it to work!

PDO will be in CI very soon. https://github.com/EllisLab/CodeIgniter/pull/282

Now is the better time to move to PDO than any other time.

This extension (mysql_*) is not recommended for writing new code. Instead, either the mysqli or PDO_MySQL extension should be used.

From php.net

Move on from mysql_* please….