0

Just want to understand, whether is there any vulnerability in this code, and any possibilities of altering the sql syntax by unsafe POST variable. please can someone advise, also please share an example of secured version of this code if this is has vulnerability and open to sql injections. Thanks.

       <?php
   $database = ' 
   (DESCRIPTION = 
   (ADDRESS_LIST =
   (ADDRESS = (PROTOCOL = TCP)(HOST = localhost)(PORT = 1521))
   )
   (CONNECT_DATA =
   (SERVICE_NAME = pdsales1)
   )
   )';


   $db = new PDO('oci:dbname='.$database, 'hr', 'hr');


   $sth = $db->prepare('SELECT EMPLOYEE_ID,FIRST_NAME FROM EMPLOYEES where department_id=:department_id');

   $sth->bindParam(':department_id', $department_id);

   //$department_id=[$_POST['department_id']; 
   $department_id=20;

   $sth->execute();

   $rows = array();

   while($row = $sth->fetch(PDO::FETCH_OBJ)) {  

   $rows[] = $row;
    //echo $row->FIRST_NAME."\n";  

   }
   $json_data=json_encode($rows); 
   //echo $json_data;
   ?>
davidb
  • 263
  • 5
  • 10
  • 23
  • This kind of question is off topic on Stack Overflow. You are supposed to read existing answers, understand them, and write your code accordingly. If you have a problem understanding any particular statement, then ask a question regarding that doubt. – Your Common Sense Jan 01 '18 at 12:10
  • 1
    No apparent vulnerabilities here.. Since you are retrieving all rows and not preprocessing them in any way, with PDO you may skip the `while` loop and just get them all at once: `$rows = $sth->fetchAll(PDO::FETCH_OBJ);` – Michael Berkowski Jan 01 '18 at 14:22
  • @MichaelBerkowski, thank you for the details. – davidb Jan 02 '18 at 06:31

0 Answers0