DB_DataObject and PDO

Question

I was told that using PDO is recommended to make my code more secure from mysql injections.

I am currently using DB_DataObject that I read that cleans the input from injections as well (http://pear.php.net/manual/en/package.database.db-dataobject.php) Do I still need to use PDO or DB_Dataobject should be ok ? Also can I combine them together and if yes how.

Example part of my DB statement

$password=encryptpass($_REQUEST['password']);
        $user->query("select username from {$user->__table} where (username = '$username' or email='$username') AND password = '$password' ");

Thanks

score 0 · Answer 1 · edited Sep 02 '13 at 11:12

0

PDO or DB_Dataobject doesn't protect against sql injection if you build your query by yourself without use the correct function to escape your parameters.

To be protected you need :

Escape your data ($username and others) with the correct function ($db->quote for DB_Dataobject )

or

Use prepared statements ( http://php.net/manual/fr/pdo.prepare.php )

edited Sep 02 '13 at 11:12

cweiske

30,033
14
133
194

answered Sep 01 '13 at 01:17

Tom

4,666
2
29
48

DB_DataObject and PDO

1 Answers1