Welcome Guest, Not a member yet? Register   Sign In
CodeIgniter Forums Archived Discussions Archived General Discussion Why no PDO?
Why no PDO?
  • El Forum
    Guest
  •  
#1
01-30-2011, 03:15 AM

[eluser]ipsod[/eluser]
I'm not an expert, so that's why I'm asking.

Why don't CI's database functions use PDO? I did some research on database security, and over and over read that the best way to fortify the database is to use parameterization.
  • El Forum
    Guest
  •  
#2
01-30-2011, 11:03 AM

[eluser]ipsod[/eluser]
Ok, besides the theoretical why, should I implement PDO in my site, or can I trust CI's security?
  • El Forum
    Guest
  •  
#3
01-30-2011, 12:41 PM

[eluser]Rick Jolly[/eluser]
If you use active record or query binding you are safe since CI uses mysql_real_escape_string() to guard against sql injection. Parameterized queries are similar to CI's query bindings. The advantage to parameterized queries on databases that support them is speed when executing the same query but with different data multiple times. Think multiple inserts. PDO supports parameterized queries on databases that support them, but PDO can also emulate parameterized queries which is the same thing as CI's query binding.
  • El Forum
    Guest
  •  
#4
02-05-2011, 10:01 AM

[eluser]JonoB[/eluser]
Have a look at http://www.phpactiverecord.org/
  • El Forum
    Guest
  •  
#5
02-05-2011, 03:28 PM

[eluser]ipsod[/eluser]
Thanks JonoB, PHP Active Record looks awesome.

Rick Jolly, I understand that it does, but this site and others like it are what led me to think that that wasn't good enough.

http://bobby-tables.com/
Quote:There is only one way to avoid [injection] attacks

* Do not create SQL statements that include outside data.
* Use parameterized SQL calls.

That's it. Don't try to escape invalid characters. Don't try to do it yourself. Learn how to use parameterized statements. Always, every single time.

The strip gets one thing crucially wrong. The answer is not to "sanitize your database inputs" yourself. It is prone to error.
  • El Forum
    Guest
  •  
#6
02-05-2011, 06:43 PM

[eluser]Rick Jolly[/eluser]
ispod, rest assured that mysql_real_escape_string() is completely safe. If it wasn't, most php applications would be vulnerable to sql injection attack.

Of course, we developers can screw anything up when we don't know what we are doing.
  • El Forum
    Guest
  •  
#7
02-05-2011, 08:38 PM

[eluser]ipsod[/eluser]
Ok, thank you, that's great to know! I'm satisfied with DMZ and glad to not have to change ORM's for security reasons.
  • El Forum
    Guest
  •  
#8
02-08-2011, 04:42 AM

[eluser]eBuildy[/eluser]
Its a good question ! Why there are plenty of files for the DB instead of use the fast and very very simple to use ....

All the time I do a new CI projet, I remove all the DB files and add my small PDO wrapper ...
  • El Forum
    Guest
  •  
#9
04-21-2011, 03:09 PM

[eluser]EugeneS[/eluser]
[quote author="eBuildy" date="1297183378"]Its a good question ! Why there are plenty of files for the DB instead of use the fast and very very simple to use ....

All the time I do a new CI projet, I remove all the DB files and add my small PDO wrapper ...[/quote]

could you share your PDO wrapper ?

thinking about using Pdo in new project so would like to know if exists any PDO library/driver for CI 2.x or have to create my own from the scratch ?

was trying to find but i cant :\
  • El Forum
    Guest
  •  
#10
04-23-2011, 12:31 AM

[eluser]Crag[/eluser]
I don't understand why'd you use the PDO. CI protects you. But you know, there is a filter system in CI too. And you can always use PHP's Sanitize Filters as well.




Theme © iAndrew 2016 - Forum software by © MyBB