{var%20f='http://v.t.sina.com.cn/share/share.php?appkey=1515056452',u=z||d.location,p=['&url=',e(u),'&title=',e(t||d.title),'&source=',e(r),'&sourceUrl=',e(l),'&content=',c||'gb2312','&pic=',e(p||'')].join('');function%20a(){if(!window.open([f,p].join(''),'mb',['toolbar=0,status=0,resizable=1,width=440,height=430,left=',(s.width-440)/2,',top=',(s.height-430)/2].join('')))u.href=[f,p].join('');};if(/Firefox/.test(navigator.userAgent))setTimeout(a,0);else%20a();})(screen,document,encodeURIComponent,'','','https://www.manongdao.com/data/attach/logo/logo.png', '推荐 做个烂人 的问题《Are parameterized queries in PDO necessary for req》','https://www.manongdao.com/q-1287710.html','页面编码gb2312|utf-8默认gb2312'));){kind=link}
I understand that parameterized queries are essential when user-submitted data is on the prowl, however my question is whether this applies to user-TAMPERABLE data?
So if we have an url such as ".../?id=1", would it be necessary to prepare any statement using $id or would URL encoding remove the threat?
Joe
Url encoding would not remove the threat.
Anything that is touchable by the user should be treated as unsafe and a potential threat. You query by
idas such not validating it and just shoving it straight into a query can still cause the same injection problems as not using PDO at all.Why wouldn't you use prepared statements / paramaterised queries for all situations where there is external/variable input?
The only queries you can trust are those where every element is hardcoded, or derived from hardcoded elements within your application.
Do not even trust data that you have pulled from your own database. This counts as external / variable data. A sophisticated attack can use more vectors than a simple "modifying a query string parameter".
I think for the tiny amount of extra code overhead, it is completely worth the peace of mind you will get from knowing your queries are protected.