info/php-the-right-way
1
0
Fork 0
mirror of https://github.com/codeguy/php-the-right-way.git synced 2025-08-06 14:06:34 +02:00
Code Issues Projects Releases Wiki Activity

Merge pull request #39 from primitive-type/patch-1

Browse Source 
Update PDO example to use INPUT_GET instead of FILTER_GET
This commit is contained in:
Josh Lockhart
2012-07-09 05:26:58 -07:00
parent 91bed698af 918c2a085b
commit 698d11bb4c
1 changed files with 1 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
_includes/databases.md
View File

@@ -15,7 +15,7 @@ This is terrible code. You are inserting a raw query parameter into a SQL query.
<?php
$pdo = new PDO('sqlite:users.db');
$stmt = $pdo->prepare('SELECT name FROM users WHERE id = :id');
$stmt->bindParam(':id', filter_input(FILTER_GET, 'id', FILTER_SANITIZE_NUMBER_INT), PDO::PARAM_INT);
$stmt->bindParam(':id', filter_input(INPUT_GET, 'id', FILTER_SANITIZE_NUMBER_INT), PDO::PARAM_INT);
$stmt->execute();
This is correct code. It uses a bound parameter on a PDO statement. This escapes the foreign input ID before it is introduced to the database preventing potential SQL injection attacks.