Pulling Data from database using PDO

I was asking about this bit in terms of the security risk of putting the values (0, 8) directly in the query string, without looking at the colunms they actually use or knowing if there are others unused.

I’ve corrected the code and escaped the output :

 $sql = $connection->prepare("SELECT p_cat_id, p_cat_title FROM product_categories");


while($row= $sql->fetch()) {
    $p_cat_id = $row['p_cat_id'];

    $p_cat_title = htmlspecialchars($row['p_cat_title']);

    echo "<li> <a href='shop_pdo.php?p_cat=$p_cat_id' class='nav-link'> $p_cat_title </a> </li>";
1 Like

I have also escaped this one.

$sql = $pdo->prepare("SELECT product_id, product_title, product_price, product_img1  FROM products ORDER BY 1 DESC LIMIT 0, 8");


$result =  $sql->rowCount();

if($result === 0) exit('No rows');

while($row= $sql->fetch()) {
    $pro_id = $row['product_id'];

    $pro_title = htmlspecialchars($row['product_title']);

    $pro_price = intval($row['product_price']);

    $pro_img1 =htmlspecialchars($row['product_img1']);

    echo "
        <div class='col-md-4 col-sm-6 single'>
            <div class='product'>
                <a href='details.php?pro_id=$pro_id'>

                <div class='text'>
                <h3><a href='details.php?pro_id=$pro_id'>$pro_title</a></h3>

                <p class='price'>$$pro_price</p>

                <p class='buttons'>
                    <a href='details.php?pro_id=$pro_id' class='btn btn-outline-primary'>View details</a>

                    <a href='details.php?pro_id=$pro_id' class='btn btn-primary'>
                    <i class='fa fa-shopping-cart'></i> Add to cart

This topic was automatically closed 91 days after the last reply. New replies are no longer allowed.