something weird happening because pdo should escape xss
here pdo class
<?php class database { private $host = 'localhost'; private $user = 'root'; private $pass = ''; private $dbname = ''; private static $_instance; private $dbh; private $stmt; private $error; private function __construct() { if($this->dbh != null) return $this->dbh; $dsn = 'mysql:host=' . $this->host . ';dbname=' . $this->dbname; $options = array( pdo::attr_persistent => true, pdo::attr_errmode => pdo::errmode_warning, //errmode_silent pdo::mysql_attr_init_command => "set names utf8", ); try { $this->dbh = new pdo($dsn, $this->user, $this->pass, $options); } catch(pdoexception $e) { echo '__construct -> '; var_dump($e->getmessage()); } } private function __clone(){ } public static function getinstance() { if(!self::$_instance) { self::$_instance = new database(); } return self::$_instance; } public function query($query) { try { $this->stmt = $this->dbh->prepare($query); } catch(pdoexception $e) { echo 'query -> '; var_dump($e->getmessage()); } } public function bindvalue($param, $value, $type) { $this->stmt->bindvalue($param, $value, $type); } public function execute() { try { return $this->stmt->execute(); } catch(pdoexception $e) { echo 'execute -> '; var_dump($e->getmessage()); } } } ?> ...and here handler insert comments database
$this->db->query("insert `comments` (`user_id`, `post_id`, `text`, `added`) values (:user_id, :post_id, :text, :added)"); $this->db->bindvalue(':user_id', $user_id, pdo::param_int); $this->db->bindvalue(':post_id', $recipe_id, pdo::param_int); $this->db->bindvalue(':text', $_post['text'], pdo::param_str); $this->db->bindvalue(':added', time(), pdo::param_int); $this->db->execute(); and input not escaped "">'>''>"> alert(1);"
...so what's wrong pdo ??
you confusing different types of security vulnerability, have same basic principle, happen in different places:
- sql injection occurs when attacker tricks code building sql string has side effects on data. instance, executing drop table statement manipulating dynamic clause.
- html injection occurs when attacker tricks code building html contains additional elements didn't intend, possibly including script execution on user's browser.
- js injection again follows similar pattern when dynamically building js itself.
the mitigation against of these similar - either isolate data code, can never executed, or escape special characters "break out of" intended markup. there no single set of escapes make string safe contexts, have prepare in right way context you're using in.
so in case, use of parameterised queries in db layer prevents sql injection, has no bearing on how data included in html, js, or future sql calls - text comes out identical text goes in.
