From 948a58d393d679f16930022d9033bf787dcdbcaa Mon Sep 17 00:00:00 2001
From: = <info@joshlockhart.com>
Date: Sun, 8 Jul 2012 19:33:35 -0400
Subject: [PATCH] Use filter_input in database PDO query as suggested by
 @onethumb

Fixes #26
---
 _includes/databases.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/_includes/databases.md b/_includes/databases.md
index 254fdb4..8d8b4d9 100644
--- a/_includes/databases.md
+++ b/_includes/databases.md
@@ -15,7 +15,7 @@ This is terrible code. You are inserting a raw query parameter into a SQL query.
     <?php
     $pdo = new PDO('sqlite:users.db');
     $stmt = $pdo->prepare('SELECT name FROM users WHERE id = :id');
-    $stmt->bindParam(':id', (int)$_GET['id'], PDO::PARAM_INT);
+    $stmt->bindParam(':id', filter_input(FILTER_GET, 'id', FILTER_SANITIZE_NUMBER_INT), PDO::PARAM_INT);
     $stmt->execute();
 
 This is correct code. It uses a bound parameter on a PDO statement. This escapes the foreign input ID before it is introduced to the database preventing potential SQL injection attacks.