info/php-the-right-way
1
0
Fork 0
mirror of https://github.com/codeguy/php-the-right-way.git synced 2025-08-15 18:23:58 +02:00
Code Issues Projects Releases Wiki Activity

Optimize SQL query in database section

Browse Source
This commit is contained in:
=
2012-07-08 11:24:23 -04:00
parent 67c69dcde4
commit 66c140fa1e
1 changed files with 2 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
_includes/databases.md
View File

@@ -8,13 +8,13 @@ Let's assume a PHP script receives a numeric ID as a query parameter. This ID sh
<?php
$pdo = new PDO('sqlite:users.db');
$pdo->query("SELECT * FROM users WHERE id = " . $_GET['id']); // <-- NO!
$pdo->query("SELECT name FROM users WHERE id = " . $_GET['id']); // <-- NO!
This is terrible code. You are inserting a raw query parameter into a SQL query. This will get you hacked in a heartbeat. Instead, you should sanitize the ID input using PDO bound parameters.
<?php
$pdo = new PDO('sqlite:users.db');
$stmt = $pdo->prepare('SELECT * FROM users WHERE id = :id');
$stmt = $pdo->prepare('SELECT name FROM users WHERE id = :id');
$stmt->bindParam(':id', (int)$_GET['id'], PDO::PARAM_INT);
$stmt->execute();