From 66c140fa1e8e811a501be96b677b3e876ef1c325 Mon Sep 17 00:00:00 2001
From: = <info@joshlockhart.com>
Date: Sun, 8 Jul 2012 11:24:23 -0400
Subject: [PATCH] Optimize SQL query in database section

---
 _includes/databases.md | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/_includes/databases.md b/_includes/databases.md
index 975e46d..254fdb4 100644
--- a/_includes/databases.md
+++ b/_includes/databases.md
@@ -8,13 +8,13 @@ Let's assume a PHP script receives a numeric ID as a query parameter. This ID sh
 
     <?php
     $pdo = new PDO('sqlite:users.db');
-    $pdo->query("SELECT * FROM users WHERE id = " . $_GET['id']); // <-- NO!
+    $pdo->query("SELECT name FROM users WHERE id = " . $_GET['id']); // <-- NO!
 
 This is terrible code. You are inserting a raw query parameter into a SQL query. This will get you hacked in a heartbeat. Instead, you should sanitize the ID input using PDO bound parameters.
 
     <?php
     $pdo = new PDO('sqlite:users.db');
-    $stmt = $pdo->prepare('SELECT * FROM users WHERE id = :id');
+    $stmt = $pdo->prepare('SELECT name FROM users WHERE id = :id');
     $stmt->bindParam(':id', (int)$_GET['id'], PDO::PARAM_INT);
     $stmt->execute();