Is FluentPDO safe?

2

Someone who has already used FluentPDO , can you tell me if it's secure against SQL Injects? It's okay that it uses PDO, but it suddenly does not handle the data before it is sent to the database.

And if it is secure, I want to study it to develop my own model using PDO.

    
asked by anonymous 24.03.2014 / 20:48

1 answer

2

It depends on how it is used. Looking at the examples on the linked page, we have:

syntax                           description
$table->where("field", "x")      Translated to field = 'x'
$table->where("field > ?", "x")  bound by PDO

As you can see, the first case simply puts the value used in the query, with no further processing. If you use a value type:

$table->where("field", "Robert'); DROP TABLE Students;--")

Then it will be placed in the query, and you will undergo an SQL Injection. However, if you use the second form:

$table->where("field = ?", "Robert'); DROP TABLE Students;--")

Then the ' in value will be "escaped", and your system will be safe.

In summary, using FluentPDO will not automatically make your system secure or insecure, it is necessary to take each API call into account on a case-by-case basis to determine the security of the application.

    
24.03.2014 / 20:54