Is there anyway to make this any more secure?

Asked Dec 04 '15 at 20:16

Active Dec 04 '15 at 20:16

Viewed 31 times

$query = "SELECT * FROM fruits ORDER BY id DESC LIMIT $start, $limit";
$result = $dbh->query($query);

Is there anyway to make that SELECT statement more secure using PDO? Secure as in from SQL injections anything and everything that is possible. Thanks.

asked Dec 04 '15 at 20:16

johnny880

Where are `$start` and `$limit` coming from – Mark Baker Dec 04 '15 at 20:19
@MarkBaker The variable $start is defined depending on an if statement before it. $limit = 15 – johnny880 Dec 04 '15 at 20:21
If `$limit` is always 15, then it doesn't need to be a variable – Mark Baker Dec 04 '15 at 20:22
@MarkBaker, ok, thanks. But what about $start? – johnny880 Dec 04 '15 at 20:26
If you're calculating `$start` then you have absolute control over the value that you're injecting – Mark Baker Dec 04 '15 at 20:36
@MarkBaker Sorry, what do you mean? – johnny880 Dec 04 '15 at 20:39
Is `$start` supplied by the user? Then it's most likely exploitable. Is `$start` derived from user input? Then it might be exploitable. Is it totally uncontrolled by the user? Then it's not exploitable. – Scott Arciszewski Dec 04 '15 at 21:01
for instance on SO there is a `page=` in the url (often if one paginates except for page 1). It could also come from POST to make it slightly more cumbersome to play with. But that doesn't change much. When the server gets it, it can decide if the value passed is rubbish. – Drew Dec 04 '15 at 21:21

Is there anyway to make this any more secure?

0 Answers0