Jump to content

A Novel Technique for SQL Injection in PDO’s Prepared Statements


Recommended Posts

Posted

Worth a read!

"The lesson here is to never mix manually constructed SQL fragments and bindings when using PDO emulation. You are opening yourself up to a huge risk by doing so as a single misparse results in SQL injection. If you are a developer:

Disable PDO::ATTR_EMULATE_PREPARES if possible;
If not, ensure you are on the latest version (PHP 8.4) and you do not allow null bytes in your queries."

https://slcyber.io/assetnote-security-research-center/a-novel-technique-for-sql-injection-in-pdos-prepared-statements/

  • Like 1
  • Thanks 2
  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...