1

Possible Duplicate:
How to prevent SQL injection in PHP?

I use PDO prepared statements to prevent MySQL injection, but should I be doing anything more to sanitize user input? The user will only be shown his own input and the input of others he "friends." Is there anything else I need to do to sanitize input?

I don't think that magic quotes are enabled, and I can't think of any other way a user could mess with my site, but I am new to this so I am not sure.

Thanks in advance!

Community
  • 1
  • 1
CoderOfHonor
  • 741
  • 7
  • 17

1 Answers1

0

If you're using prepared statements, then you shouldn't have any issue with MySQL injection.

If an application exclusively uses prepared statements, the developer can be sure that no SQL injection will occur (however, if other portions of the query are being built up with unescaped input, SQL injection is still possible).

You might consider sanitizing your output, however, like only displaying certain HTML tags (if any at all), to avoid issues with someone messing with the site's layout or, worse, executing arbitrary JavaScript.

Ian Hunter
  • 9,466
  • 12
  • 61
  • 77
  • A note. There are query parts that one can't bind via prepared statements. – Your Common Sense Feb 02 '13 at 19:42
  • True, and if that is the case, you should try to determine if your other query parts have finite and reasonable bounds you could set for them, building them yourself instead of arbitrarily interpolating user input for things like table names, etc. If you need more information, @YourCommonSense actually has a great answer on this kind of thing here: http://stackoverflow.com/questions/60174/how-to-prevent-sql-injection-in-php/8255054#8255054 – Ian Hunter Feb 02 '13 at 19:50