To prevent SQL injection using PDO in PHP using custom functions

Question

i am going to prevent SQL injection using PDO but i Want to know can my code prevent SQL injection
Here is my code

connection.php

<?php
$hostname='localhost';
$username='root';
$password='root';

try {
      $pdo_obj = new PDO("mysql:host=$hostname;dbname=dbname",$username,$password);
      $pdo_obj->setAttribute(PDO::ATTR_EMULATE_PREPARES, false);
      $pdo_obj->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION); 
    }
 catch(PDOException $e)
    {
      echo $e->getMessage();
    }

    ?>

my function.php

    <?php

    function getdata($pdo_obj, $sql, $params=NULL)      // pdo prepaired statements
    {
       $stmt = $pdo_obj->prepare($sql);
        $stmt->execute($params);
        return $stmt; 
    }
?>

and my page.php

<?php
$searchTerm = $_GET['term'];
 $result=getdata($pdo_obj,"SELECT b_type FROM b_details WHERE b_type LIKE '%".$searchTerm."%'")->fetchAll();
// my work
?>

every thing working fine but i am not sure is this code prevent SQL Injection Thanks in Advance

You are still entering data directly into the SQL query from user input, so it is SQL injectable. — Matt, Feb 25 '16 at 09:43

score 3 · Accepted Answer · answered Feb 25 '16 at 09:44

3

You aren't using your function's ability to protect from injection. To do so you have to send any data via parameters.

<?php
$searchTerm = '%'.$_GET['term'].'%';
$sql = "SELECT b_type FROM b_details WHERE b_type LIKE ?";
$result = getdata($pdo_obj, $sql, [$searchTerm])->fetchAll(PDO::FETCH_COLUMN);

BTW, I added a PDO::FETCH_COLUMN constant that will make the returned array more convenient, given only one column is selected.

answered Feb 25 '16 at 09:44

Your Common Sense

156,878
40
214
345

i trying to insert data in database but nothing happen no error,no warning and and not inserting data in database..what is wrong in that? – Sarjerao Ghadage Mar 01 '16 at 11:14
1

may be you suppressing the error message somehow. or may be it's a sort of typo – Your Common Sense Mar 01 '16 at 11:16
1

Again. you shouldn'be concerned in the code. Any error in the code will produce an exception. You should be concerned in getting this exception. – Your Common Sense Mar 01 '16 at 11:23
thanks i got it problem sloved.................. – Sarjerao Ghadage Mar 01 '16 at 11:52
can above function will create problem while 100+ user trying to access the same function at time? – Sarjerao Ghadage Mar 12 '16 at 10:19
thanks @Your Common Sense – Sarjerao Ghadage Mar 12 '16 at 11:01
after calling getdata() in every time(in same application different place on same page) can i have set PDO Object NULL or not? – Sarjerao Ghadage Mar 19 '16 at 09:07
1

Never set it to null – Your Common Sense Mar 19 '16 at 09:11

To prevent SQL injection using PDO in PHP using custom functions

1 Answers1