Is this safe from injections?

Question

I'm pretty new with PDO. I'm wondering is this now safe from SQL injections?

$name = isset($_GET['name']) ? $_GET['name'] : null;

// Fetch some info
$stmt = $db->prepare("SELECT * FROM players WHERE name = ? AND account_id = ?");
$stmt->execute(array($name, $aid));
$row = $stmt->fetch();

if ($row) {
$stmt = $db->prepare("DELETE FROM players WHERE id = ?");
$stmt->execute(array($row['id']));
header("Location: /account");
exit();
} else {
header("Location: /account");
exit();
}

Yes. The use of bound parameters in `?` prevents SQL injection. That doesn't mean that it isn't possible for users to delete records which they don't have permission to delete though. Be sure to validate that the user performing this action has permission on the value for `name`. (Since we can't see any code related to permissions - just a heads-up) — Michael Berkowski, Nov 24 '13 at 13:51
It's also worth noting that you could put the `WHERE` clause from the `SELECT` directly on the `DELETE` and add a `TOP 1` or `LIMIT 1` depending on your dbms to get the same result with a single query. Unless you're in a pdo transaction, your code is vulnerable to concurrent modification. — Dan, Nov 24 '13 at 13:55

score 0 · Accepted Answer · edited May 23 '17 at 11:56

0

Yes, the code is safe from SQL injections. You can use Dan's advice and combine the statements to have:

$stmt = $db->prepare("DELETE FROM players WHERE name = ? AND account_id = ? LIMIT 1");
$stmt->execute(array($name, $aid));
header("Location: /account");
exit();

edited May 23 '17 at 11:56

Community

1
1

answered Nov 24 '13 at 15:26

hjpotter92

78,589
36
144
183

Is this safe from injections?

1 Answers1