Optimize SQL query in database section

2025-08-16 10:43:58 +02:00 · 2012-07-08 11:24:23 -04:00
parent 67c69dcde4
commit 66c140fa1e
1 changed files with 2 additions and 2 deletions
--- a/_includes/databases.md
+++ b/_includes/databases.md
@@ -8,13 +8,13 @@ Let's assume a PHP script receives a numeric ID as a query parameter. This ID sh
    <?php
    $pdo = new PDO('sqlite:users.db');
-    $pdo->query("SELECT * FROM users WHERE id = " . $_GET['id']); // <-- NO!
+    $pdo->query("SELECT name FROM users WHERE id = " . $_GET['id']); // <-- NO!
 This is terrible code. You are inserting a raw query parameter into a SQL query. This will get you hacked in a heartbeat. Instead, you should sanitize the ID input using PDO bound parameters.
    <?php
    $pdo = new PDO('sqlite:users.db');
-    $stmt = $pdo->prepare('SELECT * FROM users WHERE id = :id');
+    $stmt = $pdo->prepare('SELECT name FROM users WHERE id = :id');
    $stmt->bindParam(':id', (int)$_GET['id'], PDO::PARAM_INT);
    $stmt->execute();