PDO, Prepared statements and SQL-Injection again

Question

After reading several articles about PDO and MySQLi prepared statements, also already read tens of questions concerning prepared statements and SQL injection on stackoverflow.com , people were saying that with the correct use of prepared statements there's no need anymore to escape entries from users, But I think I am still worried having security concerns.

1st Question: If I still sanitize entries using reg-exp and escaping before using them in my prepared statements, is that like I'm over-taking it?

2nd Question: If prepared statements thing is doing the job concerning SQL-injection -From people comments and answers- why are there still compromised databases and more and more exposed data about credit cards numbers and passwords, hacked accounts even from "big" and well-known websites? does that mean prepared statement alone is not so immune, or it's a totally different topic?

Answer 1

If I still sanitize entries using reg-exp and escaping before using them in my prepared statements, is that like I'm over-taking it?

• If you are removing characters with special meaning in SQL because they have special meaning in SQL, then that's a waste (and leads to storing Ms. O'Donnell's surname incorrectly)
• If you are escaping those characters, then you will get double encoding, which is terrible as you'll end up (for example) sending emails starting with Dear Ms. O\'Donnell,.
• If you are making sure that a date is a sensible date, then that's just sensible protection of data integrity.

If prepared statements thing is doing the job concerning SQL-injection -From people comments and answers- why are there still compromised databases and more and more exposed data about credit cards numbers and passwords, hacked accounts even from "big" and well-known websites? does that mean prepared statement alone is not so immune, or it's a totally different topic?

Because:

• Not everybody uses prepared statements
• Not everybody who uses them uses them correctly
• Databases can be attacked through other vectors (such as a remote code execution vulnerability in a web server or brute force attacks on an admin user's SSH account).

Answer 2

1. If you are doing it aiming sql security only - yes, its obvious and useless overkill.
2. Yes, of course. As a matter of fact, native prepared statements covers only a fraction of cases, giving no security for others.

Nevertheless, the idea of a prepared statement in general is a brilliant one - so, a developer have to take care of the other cases oneself.

Here is my solution - a library that offers a placeholder for the everything, not just two scalar data types only