0

I currently have this type of PDO statement to INSERT variables into the array below. I was told using PDO statements would be the most secure way of doing an insert in PHP. 

$qry = $db->prepare('INSERT INTO twocents (path, name, message) VALUES (?, ?, ?)');
$qry->execute(array($path, $name, $message));

Now, would setting $path, $name, and $message to the POST values from a posted form still be as secure? I'm not sure how else you would do an INSERT if those variables weren't being set by anything.

Thanks!

summea
  • 7,390
  • 4
  • 32
  • 48
Kevin Murphy
  • 378
  • 8
  • 24

3 Answers3

1

Yes, this is completely secure in terms of SQL injections prevention.

However, you'll probably still need to escape the data on output, e.g. if $message you received is <script language="Javascript" src="http://evil.site.com/evil.script.js"></script>, you probably wouldn't want to output it with <p><?=$message?></p>. Some template engines (XSLT for example) eliminate this problem by separately processing HTML (XML) code and data, so that in <p><xsl:value-of select="message"/></p>, message is treated as a <p/> node text value, and is automatically escaped when writing a processed XML into a string.

penartur
  • 9,792
  • 5
  • 39
  • 50
0

In some cases, it would probably be fine. However, you'd probably want to perform some type of sanitization on the $_POST data before inserting it into the prepared statement. Otherwise, you might get some gnarly data in the database. The prepared statement does help, regardless.

Community
  • 1
  • 1
summea
  • 7,390
  • 4
  • 32
  • 48
0

Yes. It is secured (from sql injection only).

itachi
  • 6,323
  • 3
  • 30
  • 40