Are PDO prepared statements sufficient to prevent SQL injection?

The short answer is NO, PDO prepares will not defend you from all possible SQL-Injection attacks. For certain obscure edge-cases.

I’m adapting this answer to talk about PDO…

The long answer isn’t so easy. It’s based off an attack demonstrated here.

The Attack

So, let’s start off by showing the attack…

$pdo->query('SET NAMES gbk');
$var = "\xbf\x27 OR 1=1 /*";
$query = 'SELECT * FROM test WHERE name = ? LIMIT 1';
$stmt = $pdo->prepare($query);
$stmt->execute(array($var));

In certain circumstances, that will return more than 1 row. Let’s dissect what’s going on here:

  1. Selecting a Character Set$pdo->query('SET NAMES gbk'); For this attack to work, we need the encoding that the server’s expecting on the connection both to encode ' as in ASCII i.e. 0x27 and to have some character whose final byte is an ASCII \ i.e. 0x5c. As it turns out, there are 5 such encodings supported in MySQL 5.6 by default: big5cp932gb2312gbk and sjis. We’ll select gbk here.Now, it’s very important to note the use of SET NAMES here. This sets the character set ON THE SERVER. There is another way of doing it, but we’ll get there soon enough.
  2. The PayloadThe payload we’re going to use for this injection starts with the byte sequence 0xbf27. In gbk, that’s an invalid multibyte character; in latin1, it’s the string ¿'. Note that in latin1 and gbk0x27 on its own is a literal ' character.We have chosen this payload because, if we called addslashes() on it, we’d insert an ASCII \ i.e. 0x5c, before the ' character. So we’d wind up with 0xbf5c27, which in gbk is a two character sequence: 0xbf5c followed by 0x27. Or in other words, a valid character followed by an unescaped '. But we’re not using addslashes(). So on to the next step…
  3. $stmt->execute()The important thing to realize here is that PDO by default does NOT do true prepared statements. It emulates them (for MySQL). Therefore, PDO internally builds the query string, calling mysql_real_escape_string() (the MySQL C API function) on each bound string value.The C API call to mysql_real_escape_string() differs from addslashes() in that it knows the connection character set. So it can perform the escaping properly for the character set that the server is expecting. However, up to this point, the client thinks that we’re still using latin1 for the connection, because we never told it otherwise. We did tell the server we’re using gbk, but the client still thinks it’s latin1.Therefore the call to mysql_real_escape_string() inserts the backslash, and we have a free hanging ' character in our “escaped” content! In fact, if we were to look at $var in the gbk character set, we’d see:縗’ OR 1=1 /*Which is exactly what the attack requires.
  4. The QueryThis part is just a formality, but here’s the rendered query:SELECT * FROM test WHERE name = '縗' OR 1=1 /*' LIMIT 1

Congratulations, you just successfully attacked a program using PDO Prepared Statements…

The Simple Fix

Now, it’s worth noting that you can prevent this by disabling emulated prepared statements:

$pdo->setAttribute(PDO::ATTR_EMULATE_PREPARES, false);

This will usually result in a true prepared statement (i.e. the data being sent over in a separate packet from the query). However, be aware that PDO will silently fallback to emulating statements that MySQL can’t prepare natively: those that it can are listed in the manual, but beware to select the appropriate server version).

The Correct Fix

The problem here is that we didn’t call the C API’s mysql_set_charset() instead of SET NAMES. If we did, we’d be fine provided we are using a MySQL release since 2006.

If you’re using an earlier MySQL release, then a bug in mysql_real_escape_string() meant that invalid multibyte characters such as those in our payload were treated as single bytes for escaping purposes even if the client had been correctly informed of the connection encoding and so this attack would still succeed. The bug was fixed in MySQL 4.1.205.0.22 and 5.1.11.

But the worst part is that PDO didn’t expose the C API for mysql_set_charset() until 5.3.6, so in prior versions it cannot prevent this attack for every possible command! It’s now exposed as a DSN parameter, which should be used instead of SET NAMES

The Saving Grace

As we said at the outset, for this attack to work the database connection must be encoded using a vulnerable character set. utf8mb4 is not vulnerable and yet can support every Unicode character: so you could elect to use that instead—but it has only been available since MySQL 5.5.3. An alternative is utf8, which is also not vulnerable and can support the whole of the Unicode Basic Multilingual Plane.

Alternatively, you can enable the NO_BACKSLASH_ESCAPES SQL mode, which (amongst other things) alters the operation of mysql_real_escape_string(). With this mode enabled, 0x27 will be replaced with 0x2727 rather than 0x5c27 and thus the escaping process cannot create valid characters in any of the vulnerable encodings where they did not exist previously (i.e. 0xbf27 is still 0xbf27 etc.)—so the server will still reject the string as invalid. However, see @eggyal’s answer for a different vulnerability that can arise from using this SQL mode (albeit not with PDO).

Safe Examples

The following examples are safe:

mysql_query('SET NAMES utf8');
$var = mysql_real_escape_string("\xbf\x27 OR 1=1 /*");
mysql_query("SELECT * FROM test WHERE name = '$var' LIMIT 1");

Because the server’s expecting utf8

mysql_set_charset('gbk');
$var = mysql_real_escape_string("\xbf\x27 OR 1=1 /*");
mysql_query("SELECT * FROM test WHERE name = '$var' LIMIT 1");

Because we’ve properly set the character set so the client and the server match.

$pdo->setAttribute(PDO::ATTR_EMULATE_PREPARES, false);
$pdo->query('SET NAMES gbk');
$stmt = $pdo->prepare('SELECT * FROM test WHERE name = ? LIMIT 1');
$stmt->execute(array("\xbf\x27 OR 1=1 /*"));

Because we’ve turned off emulated prepared statements.

$pdo = new PDO('mysql:host=localhost;dbname=testdb;charset=gbk', $user, $password);
$stmt = $pdo->prepare('SELECT * FROM test WHERE name = ? LIMIT 1');
$stmt->execute(array("\xbf\x27 OR 1=1 /*"));

Because we’ve set the character set properly.

$mysqli->query('SET NAMES gbk');
$stmt = $mysqli->prepare('SELECT * FROM test WHERE name = ? LIMIT 1');
$param = "\xbf\x27 OR 1=1 /*";
$stmt->bind_param('s', $param);
$stmt->execute();

Because MySQLi does true prepared statements all the time.

Wrapping Up

If you:

  • Use Modern Versions of MySQL (late 5.1, all 5.5, 5.6, etc) AND PDO’s DSN charset parameter (in PHP ≥ 5.3.6)

OR

  • Don’t use a vulnerable character set for connection encoding (you only use utf8 / latin1 / ascii / etc)

OR

  • Enable NO_BACKSLASH_ESCAPES SQL mode

You’re 100% safe.

Otherwise, you’re vulnerable even though you’re using PDO Prepared Statements…

Addendum

I’ve been slowly working on a patch to change the default to not emulate prepares for a future version of PHP. The problem that I’m running into is that a LOT of tests break when I do that. One problem is that emulated prepares will only throw syntax errors on execute, but true prepares will throw errors on prepare. So that can cause issues (and is part of the reason tests are borking).

Related Posts:

  1. PDOException SQLSTATE[HY000] [2002] No such file or directory
  2. PDOException SQLSTATE[HY000] [2002] No such file or directory
  3. PDO with INSERT INTO through prepared statements
  4. PDO bindParam() with prepared statement isn’t working
  5. pdo – Call to a member function prepare() on a non-object
  6. PDO closing connection
  7. How can I prevent SQL injection in PHP?
  8. SQLSTATE[HY093]: Invalid parameter number: parameter was not defined
  9. What does it mean to escape a string?
  10. Call to a member function on null?
  11. ERROR: SQLSTATE[HY000] [2002] No connection could be made because the target machine actively refused it
  12. What is the advantage of using try {} catch {} versus if {} else {}
  13. Deprecated: mysql_query() [duplicate]
  14. Google Calendar API event update always return 404 “not found” error
  15. Difference between “as $key => $value” and “as $value” in PHP foreach
  16. How do I get a YouTube video thumbnail from the YouTube API?
  17. How to avoid Request Entity Too Large 413 error
  18. Should I use mysqli_real_escape string() or mysql_real_escape_string() for form data?
  19. currently unable to handle this request HTTP ERROR 500
  20. How to fix “Headers already sent” error in PHP
  21. http://localhost:80 is not working on running Apache server through UniServer ZeroXIII
  22. How do I get PHP errors to display?
  23. What are the main differences between PHPExcel and PhpSpreadsheet?
  24. XAMPP Port 80 in use by “Unable to open process” with PID 4
  25. What are the differences in die() and exit() in PHP?
  26. Regex to check for new line
  27. Elegant way to search for UTF-8 files with BOM?
  28. Is SAJAX dead? What to replace with?
  29. break out of if and foreach
  30. Redirect vs RedirectMatch
  31. Can curl make a connection to any TCP ports, not just HTTP/HTTPS?
  32. Get Current URL in Magento and show something
  33. Error 330 (net::ERR_CONTENT_DECODING_FAILED):
  34. What does __FILE__ mean?
  35. Fatal error: Call to a member function bind_param() on boolean [duplicate]
  36. How do I fix “Undefined variable” error in PHP?
  37. How do you parse and process HTML/XML in PHP?
  38. Is there a difference between the UTC and Etc/UTC time zones?
  39. Fatal error: Call to a member function prepare() on null
  40. PHP mail not working for some reason
  41. move_uploaded_file gives “failed to open stream: Permission denied” error
  42. PHP convert XML to JSON
  43. How to call function of one php file from another php file and pass parameters to it?
  44. Is it possible to run .php files on my local computer?
  45. MAMP “Apache couldn’t be started because port is in use.” AND “Can’t connect to local MySQL server through /tmp/mysql.sock
  46. Php include not working? function not being included
  47. PHP mail function doesn’t complete sending of e-mail
  48. Convert php array to Javascript
  49. Warning: file_get_contents(): https:// wrapper is disabled in the server configuration by all
  50. phpMyAdmin ERROR: mysqli_real_connect(): (HY000/1045): Access denied for user ‘pma’@’localhost’ (using password: NO)
  51. Warning: mysql_fetch_array() expects parameter 1 to be resource, boolean given in
  52. SQLSTATE[HY093]: Invalid parameter number: number of bound variables does not match number of tokens on line 102
  53. What does MYSQLI_NUM mean and do?
  54. Fatal Error: Allowed Memory Size of 134217728 Bytes Exhausted (CodeIgniter + XML-RPC)
  55. Laravel 5 Clear Views Cache
  56. phpinfo() is not working on my CentOS server
  57. XAMPP, using port:81, cannot run localhost:81/mywebsite
  58. What does double question mark (??) operator mean in PHP
  59. How can I find the php.ini file used by the command line?
  60. Check if a PHP cookie exists and if not set its value
  61. Call to undefined function mysql_query() with Login [duplicate]
  62. Is there a function to make a copy of a PHP array to another?
  63. How to POST JSON Data With PHP cURL?
  64. htmlentities() vs. htmlspecialchars()
  65. Fastest way to implode an associative array with keys
  66. PhpMailer SMTP NOTICE: EOF caught while checking if connected
  67. Facebook – Error parsing input URL, no data was cached, or no data was scraped
  68. How to use $_SERVER[‘HTTP_REFERER’] correctly in php?
  69. what is $_SERVER[‘QUERY_STRING’] ? how it works?
  70. PHP Error : Fatal error: Constant expression contains invalid operations
  71. PHP: fopen() Permission denied
  72. How should I be setting browscap.ini file
  73. CodeIgniter: Unable to connect to your database server using the provided settings Error Message
  74. Returning JSON from a PHP Script
  75. JavaScript equivalent of PHP’s in_array()
  76. Create a folder if it doesn’t already exist
  77. Implement linked list in php
  78. Warning: Unknown: failed to open stream: No such file or directory in Unknown on line 0
  79. PHP: date function to get month of the current date
  80. How to make PDF file downloadable in HTML link?
  81. What is a templating language?
  82. Logout button php
  83. Determining Referer in PHP
  84. Unset cookies php
  85. PHP Like thing similar to MySQL Like, for if statement?
  86. Redirecting from HTTP to HTTPS with PHP
  87. PHP syntax question: What does the question mark and colon mean? [duplicate]
  88. PHP & Case Sensitivity 
  89. PHP Header redirect not working [duplicate]
  90. esc_attr() right way and use
  91. Does My Child-Theme Functions.php Need if{die} Security In It? [duplicate]
  92. Can I write ‘RewriteCond’ using ‘functions.php’?
  93. How Restrict access to admin dashboard by specific static ip?
  94. When must I use and verify nonce?
  95. Is there any risk setting WordPress file permissions and FS method to ‘direct’ on localhost?
  96. How do I get around “Sorry, this file type is not permitted for security reasons”?
  97. Password minimum length in personal subscription [closed]
  98. How to correctly escape an echo
  99. portfolio site – about this site section – is it safe to post some code
  100. Previewing/Updating some Pages causes “The requested URL was rejected” Error

Leave a Comment