info/php-the-right-way
1
0
Fork 0
mirror of https://github.com/codeguy/php-the-right-way.git synced 2025-08-06 14:06:34 +02:00
Code Issues Projects Releases Wiki Activity

Update PDO example to use INPUT_GET instead of FILTER_GET for the type parameter of the filter_input function. http://www.php.net/manual/en/function.filter-input.php

Browse Source
This commit is contained in:
primitive-type
2012-07-08 22:12:14 -05:00
parent 91bed698af
commit 918c2a085b
1 changed files with 1 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
_includes/databases.md
View File

@@ -15,7 +15,7 @@ This is terrible code. You are inserting a raw query parameter into a SQL query.
<?php
$pdo = new PDO('sqlite:users.db');
$stmt = $pdo->prepare('SELECT name FROM users WHERE id = :id');
$stmt->bindParam(':id', filter_input(FILTER_GET, 'id', FILTER_SANITIZE_NUMBER_INT), PDO::PARAM_INT);
$stmt->bindParam(':id', filter_input(INPUT_GET, 'id', FILTER_SANITIZE_NUMBER_INT), PDO::PARAM_INT);
$stmt->execute();
This is correct code. It uses a bound parameter on a PDO statement. This escapes the foreign input ID before it is introduced to the database preventing potential SQL injection attacks.