Hawaiʻi's Technology Community
Reduce SQL injection using PHP PDO prepare() and execute()
Hi,
I have just recently begun using PHP PDO, and experimenting with using PDO->prepare($sql) along with PDOStatement->execute(array()). I have done some simple testing and without any additional filtering of input, it seems to prevent SQL injection attacks that I know of. Considering that most of my sites are just simple apps that are used on the campus where I teach, my knowledge of SQL injection attacks is not extensive. I was wondering if any of you have had experience with using PDO prepare() and execute, and if you think that they do help (significantly) to prevent SQL injection attacks. (Note that in practice, I would not rely just on these features as I use both PEAR's HTML_QuickForm and Validate to filter input before creating SQL statements from input.)
Also, being new to TechHui, I was wondering if it is okay to post code in discussions and have people comment on the code.
I have just recently begun using PHP PDO, and experimenting with using PDO->prepare($sql) along with PDOStatement->execute(array()). I have done some simple testing and without any additional filtering of input, it seems to prevent SQL injection attacks that I know of. Considering that most of my sites are just simple apps that are used on the campus where I teach, my knowledge of SQL injection attacks is not extensive. I was wondering if any of you have had experience with using PDO prepare() and execute, and if you think that they do help (significantly) to prevent SQL injection attacks. (Note that in practice, I would not rely just on these features as I use both PEAR's HTML_QuickForm and Validate to filter input before creating SQL statements from input.)
Also, being new to TechHui, I was wondering if it is okay to post code in discussions and have people comment on the code.
Views: 58
© 2024 Created by Daniel Leuck.
Powered by
