0

Finally i am migrating from sql to PDO but i am little bit confused about string'

Here is my code which work perfect and secured from sql injection

$connect = new PDO("mysql:host = localhost;dbname=sqlitest" , "root" , "");
$catId = $_GET["Id"];  //Id = int eg:1
$query = "select * from viewimage where ImageCategory =? ";
$result = $connect->prepare($query);
$result->execute(array($catId));
$result->setFetchMode(PDO::FETCH_ASSOC);
while($fetch = $result->fetch()):
    $img = $fetch["Image"];
    echo "<img src='img/event/$img' height='300px' width='300px'>";
endwhile;

but when $catId = $_GET["Id"]; where Id is a string string eg: ColorDay and i try

localhost/test/view.php?id=ColorDay'

no image display in above case if I put

localhost/test/view.php?id=1'

result same and redirect on same page containing image,which command should i use to secured from 'No Image Result' in string

IROEGBU
  • 948
  • 16
  • 33
Nabeel
  • 81
  • 1
  • 1
  • 10
  • Is the `'` part of your URL? Are you saying that `1'` returns an image, but `ColorDay'` does not? I don't know if I understand the question here. – gen_Eric Oct 22 '14 at 19:45
  • 1
    well, if `ImageCategory` contains only integers, what do you expect to show up when you look for the string `ColorDay`? That's like wondering why there aren't any green socks in package marked "red socks". – Marc B Oct 22 '14 at 19:47
  • ' is not a part of my url,both return image 1 and ColorDay, but when i checked for sql injection with ' , 1' return image,ColorDay' return no image – Nabeel Oct 22 '14 at 19:48
  • 1
    *Ah,* I see what you're trying to do. You're testing to see that if someone adds `'` at the end of the URL, to see if it will trigger an injection, *correct?*. If so, just use a conditional statement, then echo a different message if no result. – Funk Forty Niner Oct 22 '14 at 19:50
  • yes currently i am testing for sql injection error @Fred-ii- – Nabeel Oct 22 '14 at 19:56
  • Seems like I'm the only one so far who understood your question. – Funk Forty Niner Oct 22 '14 at 19:56
  • The point of using parameterized queries is that SQL injection is now a thing of the past! You never have to worry about what will happen if someone adds a `'`. All you need to do is check how many results your query returns and do something if it's 0. – gen_Eric Oct 22 '14 at 19:57

2 Answers2

0

this line:

$result->execute(array($catId));

Makes your code secure. If the image is not returned, it's another problem but to me it looks like it's an expected behavior.

Sebas
  • 21,192
  • 9
  • 55
  • 109
0
  1. Encode any string that goes into your url and decode data before you use in application (see this)
  2. Watch out for XSS, don't just output string from your database to browser.
  3. See this answer on how to completely prevent SQL Injection.
Community
  • 1
  • 1
IROEGBU
  • 948
  • 16
  • 33