0
$s = "Update member_date" [snip]
$p = $pdo->prepare($s, array(PDO::ATTR_CURSOR => PDO::CURSOR_FWDONLY));
$p->execute();

Is that considered a "prepared" statement to justify being secure from SQL injection-type attacks?

UPDATE:

$member_id= htmlspecialchars($_GET['member_id']);
s1 = "
update member_date
set member_date= now()
where member_id= $member_id";

OVERALL QUESTION: "Is this how I should format all my new SQL-related code? I'm just finally making the switch from old mysql statements after reading my (new) error logs. Do I need to add in the question mark placeholders for strings and such or is the format how I have it at the first line of code ok for security purposes? I know the SQL I need to get the tasks accomplished just not the PDO security parts."

BluTiger
  • 27
  • 8
  • 1
    You should share the actual `update` statement. The concept looks right, but the devil is in the details. – Mureinik Feb 04 '17 at 20:13
  • 1
    The devil is in [snip] :-) – Paul Spiegel Feb 04 '17 at 20:15
  • I've done it now. Thanks – BluTiger Feb 04 '17 at 20:20
  • Yea I know. I've read that multiple times. It doesn't explain the how's or why's it curtails the needed bits I need to understand. – BluTiger Feb 04 '17 at 20:42
  • Because an SQL code can't be executed if it's injected into a binded parameter. – Paul Spiegel Feb 04 '17 at 20:45
  • Oh. So it's binded PDO that's "secure" PDO? (Swear I'm not trolling really trying to understand this as I'm only a hobbyist developer.) There's literally no explanation of "bind" anywhere on that page heh. Thanks though I'll start researching. – BluTiger Feb 04 '17 at 20:53
  • Try an explanation from me: [Prepared statements. Protection from SQL injections](https://phpdelusions.net/pdo#prepared) – Your Common Sense Feb 05 '17 at 06:38
  • I bet "Your Common Sense" labeled this as a duplicate without reading the other article you put in @PaulSpiegel. So much sigh. Or just blindly not reading the bits where "bind" explanations are left out. Or, he's just going after all content that maybe gets mentioned in his own article he's wrote. It's a sad state of affairs when someone can write their own piece on SO and then mark all other content as duplicates pointing to their own article. – BluTiger Feb 05 '17 at 18:49
  • @BluTiger Did you read the *Explanation* part of the accepted Answer? "The important thing here is that the parameter values are combined with the compiled statement, not an SQL string." And the article linked by YourCommonSense is one of the best you will ever find. You better read it. – Paul Spiegel Feb 05 '17 at 21:19

2 Answers2

0

No. You are not using a prepared statement as intended. What you should do is add your $id as a paramater, and so separate your content (id) from your code (sql).

While you can do safe SQL with filtering yourself, the absolute best way is to, as you put it:

add in the question mark placeholders for strings and such

You can say "this needs to be an int, and then it will never be something scary like a " or some code that does magic with your query.

Nanne
  • 64,065
  • 16
  • 119
  • 163
-2

PDO is the best way to avoid sql injection that may attack the server. The code looks fine though. But PHP PDO is the absolute right way to avoid sql injection.

akuthedeveloper
  • 48
  • 1
  • 5