Thursday, 18 January 2018

mysql - PHP PDO clean user input

itemprop="text">

I've been looking into the most
efficient method of cleaning user input. My application is a simple post request that is
used to authenticate a user. Looking online I can find more then a dozen different
"best" methods of doing this. A lot of these methods use deprecated php functions or
seem overly complicated. In order to connect to my sql database I use the PDO class.



While searching for my own functions I stumbled
accross this:





Prepared statements with bound parameters are not only more portable, more
convenient, immune to SQL injection, but are often much faster to execute than
interpolated queries, as both the server and client side can cache a compiled form of
the query.




I
already use the prepare method to create my statement. Does this mean I'm safe against
SQL injection attacks? What else should I be worried about?



Answer




If you bind ALL user data via prepared
statements with PDO you should be safe from injection. Any variables you put into your
SQL statement (like sort order) that you do not bind, is an open vector for attack.


-

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)

php - file_get_contents shows unexpected output while reading a file

I want to output an inline jpg image as a base64 encoded string, however when I do this : $contents = file_get_contents($filename); print ...