adrian Posted September 18 Posted September 18 Worth a read! "The lesson here is to never mix manually constructed SQL fragments and bindings when using PDO emulation. You are opening yourself up to a huge risk by doing so as a single misparse results in SQL injection. If you are a developer: Disable PDO::ATTR_EMULATE_PREPARES if possible; If not, ensure you are on the latest version (PHP 8.4) and you do not allow null bytes in your queries." https://slcyber.io/assetnote-security-research-center/a-novel-technique-for-sql-injection-in-pdos-prepared-statements/ 1 2
Recommended Posts