0

I'm stuck on how to sanitize the code below for SQL injections.

Line 3 is where I'm stuck and put ??? for the value I'm not sure of. I'd also appreciate if someone can review the entire thing to check if I made other mistakes.

$path will look something like /1/A/2/B/3/C/

1 $path = parse_url($_SERVER['REQUEST_URI'], PHP_URL_PATH);
2 $stmt = $db->prepare("SELECT * FROM table WHERE path = :path");
3 $path = filter_input(???, 'path', FILTER_SANITIZE_STRING);
4 $post->bindParam(':path', $path, PDO::PARAM_STR);
5 $post->execute();
user1052448
  • 423
  • 2
  • 6
  • 19
  • @JohnConde Can you please show me where filter_input is used? I do not see it in the link provided. – user1052448 Oct 27 '15 at 15:24
  • Please read the linked question carefully and try to understand how SQL injection actually works. Blaming *dangerous* characters that get through is a common misconception. – Álvaro González Oct 27 '15 at 15:26
  • @ÁlvaroG.Vicario So filter_input(INPUT_SERVER, 'path', ..) wouldn't be correct? I'm not sure why the method linked is better than what I had written. I guess I'm having a hard time understanding something out of a PHP textbook vs someone's post on here. – user1052448 Oct 27 '15 at 15:30
  • You are not sure because you don't really understand what SQL injection is or how parametrised queries work. Learn that and you'll realise yourself. Seriously :) – Álvaro González Oct 27 '15 at 15:37

0 Answers0