How to change normal sql php code to secure pdo?

Question

Possible Duplicate:
Best way to prevent SQL Injection in PHP

Is this code secure since i am using mysql_real_escape_string and strip_tags Is there any need to change to pdo ? I am not able to convert the following code to pdo because its displaying cannot modify header .

<?php
include('config.php');
$link =mysql_connect($db_host,$username,$password);
mysql_select_db($db_name);

$id= $_POST["uniqi"]; 
$comments= $_POST["comments"]; 
$comments= mysql_real_escape_string($comments);
$comments = strip_tags($comments);

$update = "UPDATE mastertable SET comments = '$comments' WHERE id_pk= '$id'";
mysql_query($update, $link);
mysql_close();
header('Location: http://www.xxxx.com/xxxxx/xxxx.php?cntmsg=Comment Updated');
?>

You should definitely convert this to PDO - the mysql extension [is being deprecated](http://news.php.net/php.internals/53799). — DCoder, Jul 08 '12 at 15:50
http://stackoverflow.com/questions/8028957/headers-already-sent-by-php — PeeHaa, Jul 08 '12 at 15:51

Tudor Constantin · Accepted Answer · 2012-07-08T16:04:24.173

1

This is not safe code - your $id variable is not processed by your code.

$id= $_POST["uniqi"]; 
$id= mysql_real_escape_string($id);
$id = strip_tags($id);

edited Jul 08 '12 at 16:04

answered Jul 08 '12 at 15:51

Tudor Constantin

26,330
7
49
72

@vascowhite - first part of the reply is the actual regarding code safety – Tudor Constantin Jul 08 '12 at 15:54
@TudorConstantin $id is used in update statement – Tom Jul 08 '12 at 15:57
@Tom - yes, but you use the value that comes from the client (the browser) - it could send you dragons there like `'; DELETE FROM comments; SELECT '` instead of an id :) – Tudor Constantin Jul 08 '12 at 16:00
so how can i make the above code sercure or to pdo > – Tom Jul 08 '12 at 16:01
process the `$id` variable the same way you do with `$comments` – Tudor Constantin Jul 08 '12 at 16:02

How to change normal sql php code to secure pdo?

1 Answers1