Is it secure to use sql as parameter in private function?

Question

I do also validate $type, and use get/set.

private function somfunc($sql) {
    // query and return result set as an array
}

private function mytype($type) {
    switch ($type)
    case topic: $sql="......";
    return sql;
}

public function display($type) {
    // switch case to require template
    // call somefunc and mytype here
}

If it's not secure, how do I improve my code?

No, it's not secure. see http://stackoverflow.com/questions/60174/how-to-prevent-sql-injection-in-php — MLeblanc, May 26 '13 at 14:01
@MLeblanc: Why isn't this secure? You can still use prepared statements with this code. OP: you probably want to `return $sql`. — Marcel Korpel, May 26 '13 at 14:06

score 0 · Accepted Answer · answered May 26 '13 at 14:11

Is it secure to use sql as parameter in private function?

The two things are not connected. It's not like using sql as parameter in public function is any safer. The visibility / access of a function does not impact on the safety of SQL. Prepared statements do.

Is it secure to use sql as parameter in private function?

1 Answers1