All geek questions in one place

Can mysql_ * functions be used if PDO and mysqli are not available?

I have a site hosted on shared hosting. They have php 5.2.13 installed.

I know SQL Injection vulnerabilities and want to prevent this.

So I want to use PDO or mysqli to prevent this.

But the problem is when I used phpinfo(); To view information about installing a php hosting environment,
I found that there is no mysql driver for PDO and there was no mysqli support in it.

So, I wanted to know if it would be safe to use these old mysql_ * functions (along with functions like mysql_real_escape_string ).

I looked at this on SO, but it was not very helpful to me. Are prepared statements possible if mysqli and PDO are not available?

UPDATE:

I forgot to mention that most queries will be simple. Forms are not used, so user input will not be used to create a query. All requests will be hardcoded with the necessary parameters, and they will not be changed after installation.

+4
source share
3 answers

If you are really consistent with using mysql_real_escape_string() with all the mysql_real_escape_string() enter the system, I think you should be safe from any SQL injection from which prepared statements protect you.

How perfect are you in this? I bet most of the buffer overflow vulnerabilities were created by programmers who thought they validated the input well ....

+1
source

No. The lack of safer solutions is never an excuse to return to a less secure or more vulnerable solution.

You are much better off finding another hosting provider that does not disable arbitrary PHP functions even in your hosting packages. Oh, and try to get one that uses PHP 5.3, or better yet, if you can, PHP 5.4.

+4
source

A good way to do this is to implement the Wrapper class to use mysql_ * functions with several methods to create prepared statements.

The idea is that you must pass strongly typed parameters in your queries.

For example, here is a piece of code with a general idea. Of course, this requires more work. But this can interfere with SQL Injection attacks if they are implemented.

You can also look for third-party libraries that already implement this, because this is a common occurrence.

 <?php class MyDb { protected $query; public function setQuery($query) { $this->query = $query; } public function setNumericParameter($name, $value) { if (is_numeric($value)) // SQL Injection check, is the value really an Int ? { $this->query = str_replace(':'.$name, $value); } // else, probably an intent of SQL Injection } // Implement here the methods for all the types you need, including dates, strings, etc public function fetchArray() { $res = mysql_query($this->query); return mysql_fetch_array($res); } } MyDb $db = new MyDb(); $db->setQuery('SELECT * FROM articles WHERE id = :id'); $db->setNumericParameter('id', 15); while ($row = $db->fetchArray()) { // do your homework }
0
source

Source: https://habr.com/ru/post/1444284/

More articles:


All Articles