PDO query safety practices

Asked Apr 24 '14 at 07:12

Active Apr 24 '14 at 07:12

Viewed 35 times

Am developing my first website and i would consider on security. i Have a query and am using PDO. My Db is MySQL. i want to check if my code is possible for injection.

i hope there are helpful guys out there. thanks

    >$sql = "SELECT * FROM boardbasis WHERE prop_id = ?";
    >$BoardBasis_stmt = $dbh->prepare($sql);
    >$BoardBasis_stmt->execute(array($_GET['prop_id']));
    >$BoardBasis = $BoardBasis_stmt->fetch(PDO::FETCH_ASSOC);

asked Apr 24 '14 at 07:12

user2981233

Is always a good practice to sanitize your params – Sal00m Apr 24 '14 at 07:14
2

Your code is fine and this specific example is injection free. – h2ooooooo Apr 24 '14 at 07:15
actually the above code is used to retrieve data from DB. i have my url like this. localhost/test/index.php?prop_id=1 – user2981233 Apr 24 '14 at 07:20
based on that url my page retrieves data. and that pro_id in the url is changed using a form in my page. So is it possible for a hacker to use the same form to inject my DB? – user2981233 Apr 24 '14 at 07:22
@user2981233 As long as you used prepared statements and bind variables (like you do here) your code is safe. – h2ooooooo Apr 24 '14 at 07:34
Duplicate of http://stackoverflow.com/questions/8263371/how-prepared-statements-can-protect-from-sql-injection-attacks/8265319#8265319 – Your Common Sense Apr 24 '14 at 07:55
1

@Sal00m it is always a good practice to imply some **particular** meaning when using a word. – Your Common Sense Apr 24 '14 at 07:56
how if the case is to insert a record to DB. – user2981233 Apr 24 '14 at 09:39

PDO query safety practices

0 Answers0