未加星标

MySQL / PHP - Is a PDO buffer overflow possible?

字体大小 | |
[开发(php) 所属分类 开发(php) | 发布者 店小二05 | 时间 2018 | 作者 红领巾 ] 0人收藏点击收藏

I'm coding a website right now. I store the users accounts inside a mysql table. I use PDO to access them as it's a lot safer and takes care of any attacks. I store usernames as a VARCHAR(24).

But here is my question: does PDO take care of overflows? For example if the user would try to set his username to a length of 25?

Not sure whether you did the obvious thing and just tried yourself but... No, PDO is not a complex ORM. It won't waste resources parsing SQL queries to determine what tables and columns are to be written and fetching table definitions from server to validate input data.

Depending on your MySQL configuration, your query will fail with an error or it'll proceed happily and you'll get data loss as a feature. But it'll all happen at MySQL server:

mysql> CREATE TABLE user ( -> user_id INT(10) UNSIGNED NOT NULL AUTO_INCREMENT, -> username VARCHAR(24) NOT NULL, -> PRIMARY KEY (user_id) -> ); Query OK, 0 rows affected (0.00 sec) mysql> SET @@SESSION.sql_mode=''; Query OK, 0 rows affected (0.00 sec) mysql> INSERT INTO user (username) VALUES ('this.is.a.very.long.username'); Query OK, 1 row affected, 1 warning (0.00 sec) mysql> SHOW WARNINGS; +---------+------+-----------------------------------------------+ | Level | Code | Message | +---------+------+-----------------------------------------------+ | Warning | 1265 | Data truncated for column 'username' at row 1 | +---------+------+-----------------------------------------------+ 1 row in set (0.00 sec) mysql> SELECT * FROM user; +---------+--------------------------+ | user_id | username | +---------+--------------------------+ | 1 | this.is.a.very.long.user | +---------+--------------------------+ 1 row in set (0.00 sec) mysql> SET @@SESSION.sql_mode='TRADITIONAL'; Query OK, 0 rows affected (0.00 sec) mysql> INSERT INTO user (username) VALUES ('this.is.also.a.very.long.username'); ERROR 1406 (22001): Data too long for column 'username' at row 1

I you are talking about what the term buffer overflow commonly refers to, bothphp and great parts of MySQL Server are written in C, which is a rather low level language that's certainly vulnerable to it. But of course both developer teams try their best to avoid it and if you face one it'll be the result of a bug, it should be reported as potential security vulnerability and it's highly unlikely to be caused by the simple case you describe.

本文开发(php)相关术语:php代码审计工具 php开发工程师 移动开发者大会 移动互联网开发 web开发工程师 软件开发流程 软件开发工程师

代码区博客精选文章
分页:12
转载请注明
本文标题:MySQL / PHP - Is a PDO buffer overflow possible?
本站链接:https://www.codesec.net/view/610866.html


1.凡CodeSecTeam转载的文章,均出自其它媒体或其他官网介绍,目的在于传递更多的信息,并不代表本站赞同其观点和其真实性负责;
2.转载的文章仅代表原创作者观点,与本站无关。其原创性以及文中陈述文字和内容未经本站证实,本站对该文以及其中全部或者部分内容、文字的真实性、完整性、及时性,不作出任何保证或承若;
3.如本站转载稿涉及版权等问题,请作者及时联系本站,我们会及时处理。
登录后可拥有收藏文章、关注作者等权限...
技术大类 技术大类 | 开发(php) | 评论(0) | 阅读(88)