I wonder if I need to escape $_POST and/or $_GET arrays in PDO? (OOP)
Example:
<?php $name = $_POST['name']; ?>
What should I do to prevent "SQL Injection" with this? Thanks.
Asked
Active
Viewed 1,039 times
1
tereško
- 58,060
- 25
- 98
- 150
user2722718
- 163
- 1
- 2
- 13
-
If you prepare it, you won't need to escape. Only an `isset` would be necessary. – Dave Chen Sep 04 '13 at 16:50
-
possible duplicate of [How can I prevent SQL injection in PHP?](http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php) – Quentin Sep 04 '13 at 16:54
3 Answers
1
if you are using pdo you can use the prepare statement
Here you have good examples :
http://php.net/manual/en/pdo.prepare.php
PDO will escape for you the value before your query (with the prepare statement), so you don't have to worry about that.
Freelancer
- 4,459
- 2
- 22
- 28
1
NO
A double NO.
- you shouldn't escape.
- you shouldn't pay any special attention to $_POST or $_GET variables at all.
What should I do to prevent "SQL Injection"
- Instead of escaping you have to use prepared statements
- it is data destination, not source that matters.
Every variable that is going into SQL query should be added via placeholder only, no matter if it coming from POST, GET or ATM wire transfer.
Community
- 1
- 1
Your Common Sense
- 156,878
- 40
- 214
- 345
0
You should use prepared statements. Not only does PDO escape the values for you, but it makes the query string look a bit nicer too, and easier for maintenance later on down the line.
$sql = 'SELECT * FROM users WHERE id=?';
$dbh->execute(array("@p1", $_GET['blah']));
I use hash PHP when I need help with PDO they are a bit easier to understand.
Justin E
- 1,252
- 16
- 30