0

Changing from php 5 to php 7 I must change my queries. Now using PDO.

I connect to the db like this:

$conn = new PDO("mysql:host=$hostname;dbname=$db", $username, $password);

my full query is 6 queries joined by union all. My (simplified) query is like this:

$query="select * from table
where sub_category like '%$input%'

where input is kettles, for example

my script gets the input value like this:

$input = $_GET['input'];

If I sanitise it using

$input = $conn->quote($_GET['input']);

the value becomes 'kettles' (surrounded with single quotes), and my query returns 0 results.

I process the query thus:

$stmt = $conn->prepare($query);
$stmt->execute(array("%$query%")); 

$data = $stmt->fetchAll();

So; is PDO sanitising it and if not, how do I do it?

headache
  • 125
  • 9
  • 1
    When you use prepared statements with placeholders (like your last example, if you're using placeholders in the query?), you shouldn't sanitize the data since you're not adding the variable into the query itself. – M. Eriksson Sep 24 '20 at 13:34
  • 2
    Also, where did you learn that `$conn->query($_GET['input']);` is how you sanitize values? – M. Eriksson Sep 24 '20 at 13:39
  • 1
    _“Also, (Having read this in the php docs), where does the variable $query come from?”_ - how should we know what you read where, _exactly_? At least give us the URL to the page you are referring to in a case like this! – 04FS Sep 24 '20 at 13:48
  • 1
    https://stackoverflow.com/questions/583336/how-do-i-create-a-pdo-parameterized-query-with-a-like-statement – Your Common Sense Sep 24 '20 at 14:05
  • Thank all so far.. I have edited my question to respond/clarify points raised. – headache Sep 24 '20 at 14:25

0 Answers0