Single Quote Escape in PDO Prepared Statement Parameters

So I understand PDO Prepared Statements should protect from SQL injection and ' escapes. But when I attempted the following...

if ($_SERVER["REQUEST_METHOD"] == "POST" && isset($_POST["id"]))
{   
    $id = $_POST["id"]; 
    //$id = "2' AND name='Entry2";
    $someinfo = "updated";

    ...DB Stuff...

    $conn = new PDO("mysql:host=$servername;dbname=$dbname", $username, $dbpassword);

    $stmt = $conn->prepare("UPDATE testdb SET info=:someinfo WHERE id=:id");

    $stmt->bindParam(':id', $id);
    $stmt->bindParam(':someinfo', $someinfo);
    $stmt->execute();

    $conn = null;

    exit();
}

Then the row with id=2 and name=entry2 would be updated. Now it doesn't seem like this can be used to escape into other SQL queries, and I assume I can take precautions to ensure this kind of escape can't really do damage. But I wanted to be sure that there wasn't some other way to prevent ' escapes making unexpected changes to SQL query parameters. (Worth noting, I tried something similar in SQLi and got pretty much the same result.)

Is there something I'm missing? Or is this just the way Prepared Statements work.


After looking around some more, this behavior was eloquently explained/solved for me here: https://phpdelusions.net/pdo#comment-277

It turns out it's not escaping the string, but instead truncating input after the integer which just made it appear to escape the string. I was able to confirm this upon modifying the code.

链接地址: http://www.djcxy.com/p/93802.html

上一篇: 什么是SQL注入?

下一篇: 在PDO准备语句参数中单引号退出