Hey Everyone,
I know that using prepare bindValue execute, SQL statements will prevent the possibility of a SQL injection, however will prepare execute(array(‘:foo’ => $bar)), also how safe are these methods for preventing SQL injections and how effective is using $db->quote($bar), to sanitize input. Thanks, for the help, i tried to Google this but i didn’t really get anything useful, any other information or any useful links on the topic would also be greatly appreciated.
[SIZE=3]Hi,
This is injection secure:
$stmt = $db->prepare("SELECT * FROM table WHERE id=:id AND name=:name");
$stmt->execute(array(':name' => $name, ':id' => $id));
$rows = $stmt->fetchAll(PDO::FETCH_ASSOC);
With quote:
$db->quote($bar)
This is also secure against sql injections.
I personally find bindParam or array binding less work but others my wrap their database data with quotes.[/SIZE][COLOR=#000088]
[/COLOR]
Anything where the code is kept separate from the data is safe from injection as injection relies on being able to include code in the data and have it misinterpreted as code instead of as data.
Ok, thank you for clearing this issue up for me. I usually use this method when working with databases:
and I read alot about how this method prevents SQL injections:
$stmt = $db->prepare("SELECT * FROM table WHERE id=:id AND name=:name");
stmt->bindParam(':name', $name);
stmt->bindParam(':id', $id);
stmt->execute();
So I was concerned, whether the first method also prevented SQL injections, thanks for clearing that up ServerStorm and felgall.