So I’ve been wondering for some time, after being advised in a previous question to use PDO prepared statements, why its important when connecting to my Database to use them in an instance like so?
eg using $_SERVER['REMOTE_ADDR']
I mean, if no one knows I’m using a database, and they have no idea what I’m looking for, and the thing I’m looking for in the database (assuming they know) is an IP address, why should it matter? Is this a matter of XSS attacks?
Genuine question. Never been able to find any reason to use PDO statements (or similar methods) in this instance. Surely I’m not vunerable?
So you’re not sanitising your input at all?? Really?
What happens when you have a user named “Bob O’Reilly”? Will your code cope with that? Have you tried it?
Or what happens if someone enters a letter into a numeric field. Will your code cope with that?
SQL data sanitation is about more than just protecting against hacks; it’s allows for everyday data to be entered without worrying about whether it contains quote marks or other characters that would break the query.
Protecting against hacks is a very good thing, but even if that wasn’t a consideration, you would still need to sanitise your DB input.
Hackers don’t “know”, they guess; they try out a few common hacking techniques to see what happens. If the site responds in the way they hope for then they know that its vulnerable. That’s when they really start attacking you.
Those investigation hacks are typically automated and just trawl the web looking for sites to attack; you’ll be vulnerable simply by being online. Don’t think you’re safe just because you’re obscure, or because no-one knows your code, or because no-one would want to hack you. They will find you and they will hack you.