Asked  7 Months ago    Answers:  5   Viewed   47 times

I am modifying my code from using mysql_* to PDO. In my code I had mysql_real_escape_string(). What is the equivalent of this in PDO?

 Answers

19

Well No, there is none!

Technically there is PDO::quote() but it is rarely ever used and is not the equivalent of mysql_real_escape_string()

That's right! If you are already using PDO the proper way as documented using prepared statements, then it will protect you from MySQL injection.


# Example:

Below is an example of a safe database query using prepared statements (pdo)

  try {
     // first connect to database with the PDO object. 
     $db = new PDO("mysql:host=localhost;dbname=xxx;charset=utf8", "xxx", "xxx", [
       PDO::ATTR_EMULATE_PREPARES => false, 
       PDO::ATTR_ERRMODE => PDO::ERRMODE_EXCEPTION
     ]); 
 } catch(PDOException $e){
     // if connection fails, show PDO error. 
   echo "Error connecting to mysql: " . $e->getMessage();
 }

And, now assuming the connection is established, you can execute your query like this.

if($_POST && isset($_POST['color'])){ 

    // preparing a statement
    $stmt = $db->prepare("SELECT id, name, color FROM Cars WHERE color = ?");

    // execute/run the statement. 
    $stmt->execute(array($_POST['color']));

    // fetch the result. 
    $cars = $stmt->fetchAll(PDO::FETCH_ASSOC); 
    var_dump($cars); 
 }

Now, as you can probably tell, I haven't used anything to escape/sanitize the value of $_POST["color"]. And this code is secure from myql-injection thanks to PDO and the power of prepared statements.


It is worth noting that you should pass a charset=utf8 as attribute, in your DSN as seen above, for security reasons, and always enable PDO to show errors in the form of exceptions.

PDO::ATTR_ERRMODE => PDO::ERRMODE_EXCEPTION

so errors from you database queries won't reveal sensitive data like your directory structure, database username etc.

Last but not least, there are moments when you should not trust PDO 100%, and will be bound to take some extra measures to prevent sql injection, one of those cases is, if you are using an outdated versions of mysql [ mysql =< 5.3.6 ] as described in this answer

But, using prepared statements as shown above will always be safer, than using any of the functions that start with mysql_

Good reads

PDO Tutorial for MySQL Developers

Wednesday, March 31, 2021
 
MannfromReno
answered 7 Months ago
90

You have to bind your variables like you do in your first code. The Version 1 and Version 2 codes are both INSECURE.

Friday, May 28, 2021
 
SilverHorn
answered 5 Months ago
80

Any query can be injected whether it's read or write, persistent or transient. Injections can be performed by ending one query and running a separate one (possible with mysqli), which renders the intended query irrelevant.

Any input to a query from an external source whether it is from users or even internal should be considered an argument to the query, and a parameter in the context of the query. Any parameter in a query needs to be parameterized. This leads to a properly parameterized query that you can create a prepared statement from and execute with arguments. For example:

SELECT col1 FROM t1 WHERE col2 = ?

? is a placeholder for a parameter. Using mysqli, you can create a prepared statement using prepare, bind a variable (argument) to a parameter using bind_param, and run the query with execute. You don't have to sanitize the argument at all (in fact it's detrimental to do so). mysqli does that for you. The full process would be:

$stmt = $mysqli->prepare("SELECT col1 FROM t1 WHERE col2 = ?");
$stmt->bind_param("s", $col2_arg);
$stmt->execute();

There is also an important distinction between parameterized query and prepared statement. This statement, while prepared, is not parameterized and is thus vulnerable to injection:

$stmt = $mysqli->prepare("INSERT INTO t1 VALUES ($_POST[user_input])");

To summarize:

  • All Queries should be properly parameterized (unless they have no parameters)
  • All arguments to a query should be treated as hostile as possible no matter their source
Monday, June 7, 2021
 
e_i_pi
answered 5 Months ago
55

There isn't a built-in function to do this, but you can easily add your own as a protocol extension method:

extension SequenceType {
    func all(@noescape predicate: (Self.Generator.Element) throws -> Bool)
        rethrows -> Bool {

        for i in self {
            if !(try predicate(i)) { return false }
        }
        return true
    }
}

and then use it on a sequence like:

let allPositive = [1, 2, 3].all { $0 > 0 }
Wednesday, August 25, 2021
 
LoicTheAztec
answered 2 Months ago
61

I'm not seeing anything in Boost that does what you need (though you might be able to implement it yourself by using lower-level functions). As you've found out, the scaled Bessel functions are not computed simply by multiplying exp(z). The GSL appears to have incorporated this functionality, e.g., gsl_sf_bessel_Knu_scaled. For an "exact equivalent," you might look at the paper and code by Amos, e.g., CBESK. Both Matlab and Octave appear to use this implementation. However, the code is written in Fortran, so you'd need to translate it or put a wrapper around it (this project appears to have done that so it might be useful – there are others out there too).

You may also be able to use Matlab's Coder and codegen to output something as well.

Sunday, October 24, 2021
 
Rupesh Patel
answered 1 Day ago
Only authorized users can answer the question. Please sign in first, or register a free account.
Not the answer you're looking for? Browse other questions tagged :