info/php-the-right-way
1
0
Fork 0
mirror of https://github.com/codeguy/php-the-right-way.git synced 2025-08-18 19:41:15 +02:00
Code Issues Projects Releases Wiki Activity

Use filter_input in database PDO query as suggested by @onethumb

Browse Source 
Fixes #26
This commit is contained in:
=
2012-07-08 19:33:35 -04:00
parent c5e11d346f
commit 948a58d393
1 changed files with 1 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
_includes/databases.md
View File

@@ -15,7 +15,7 @@ This is terrible code. You are inserting a raw query parameter into a SQL query.
<?php
$pdo = new PDO('sqlite:users.db');
$stmt = $pdo->prepare('SELECT name FROM users WHERE id = :id');
$stmt->bindParam(':id', (int)$_GET['id'], PDO::PARAM_INT);
$stmt->bindParam(':id', filter_input(FILTER_GET, 'id', FILTER_SANITIZE_NUMBER_INT), PDO::PARAM_INT);
$stmt->execute();
This is correct code. It uses a bound parameter on a PDO statement. This escapes the foreign input ID before it is introduced to the database preventing potential SQL injection attacks.