Are PDO Prepared Statements Truly Safe from SQL Injection Attacks?

Are PDO Prepared Statements Immune to SQL Injections?

While the PDO documentation suggests that preparing statements eliminates the need for manual parameter quoting, the answer is a nuanced "yes." PDO emulates prepared statements for MySQL by default, and this emulation can sometimes create exploitable vulnerabilities.

The Attack Vector

The potential vulnerability arises when the connection encoding involves specific vulnerable character sets (e.g., gbk, cp932) and the following conditions are met:

1. The database character set is set using SET NAMES (instead of mysql_set_charset()).
2. The client uses emulated prepared statements (or true prepared statements that the MySQL server treats as emulated).

In such cases, an attacker can craft a payload that contains an invalid multibyte character and exploit the discrepancy between the expected character set on the client and the actual character set of the connection. This allows them to inject an unquoted character into the generated query string, leading to potential SQL injections.

The Fixes

Prevention:

• Disable emulated prepared statements: $pdo->setAttribute(PDO::ATTR_EMULATE_PREPARES, false);
• Use the PDO DSN charset parameter to set the character encoding (PHP >= 5.3.6): $pdo = new PDO('mysql:host=localhost;dbname=testdb;charset=gbk', $user, $password);
• Avoid vulnerable encoding: Use character sets like UTF-8 or Latin1 that are not vulnerable to this attack.

Mitigation:

• Enable the NO_BACKSLASH_ESCAPES SQL mode: This alters the behavior of character escaping, mitigating the potential vulnerability.

Safe Examples

The following code snippets illustrate safe practices:

// PDO without emulated prepares
$pdo->setAttribute(PDO::ATTR_EMULATE_PREPARES, false);
$stmt = $pdo->prepare('SELECT * FROM test WHERE name = ? LIMIT 1');
$stmt->execute(array("xbf' OR 1=1 /*"));

// PDO with DSN charset parameter
$pdo = new PDO('mysql:host=localhost;dbname=testdb;charset=gbk', $user, $password);
$stmt = $pdo->prepare('SELECT * FROM test WHERE name = ? LIMIT 1');
$stmt->execute(array("xbf' OR 1=1 /*"));

// MySQLi (always uses true prepared statements)
$mysqli->query('SET NAMES gbk');
$stmt = $mysqli->prepare('SELECT * FROM test WHERE name = ? LIMIT 1');
$param = "xbf' OR 1=1 /*";
$stmt->bind_param('s', $param);
$stmt->execute();

Conclusion

PDO prepared statements can effectively prevent SQL injections when used properly and in conjunction with secure practices. It's crucial to avoid vulnerable encoding, disable emulated prepares, or enable NO_BACKSLASH_ESCAPES mode to mitigate potential vulnerabilities.

The above is the detailed content of Are PDO Prepared Statements Truly Safe from SQL Injection Attacks?. For more information, please follow other related articles on the PHP Chinese website!