Vaguely when mysql code is injection proof using PDO

Question

Vaguely when mysql code is injection proof using PDO

I understand the basic idea of how mysql statements can be vulnerable, but every time I try to find a useful guide, the ways to achieve this with PDO look different than others. In addition, they sometimes tell me in stackoverflow that my code is vulnerable, for example, on the day when it was said about the following (which does not work with BAT, but I was taught how to do it:

$search = $_GET["search"];
$searcharray = explode('|', $search);
$query=("SELECT username,sender,message,subject,timestamp,threadid,msgtype 

FROM Messages WHERE  ('" . implode("'|'",$searcharray) . "') IN CONCAT 
(message,subject)  ORDER BY timestamp");

.. but why? It would not be enough:

$conn = new PDO("mysql:host=$servername;dbname=$dbname", $username, $password);

before the code and

$result = $conn->query($query)->fetchAll(PDO::FETCH_OBJ);

then?

, , , , SELECT, ? , , PDO-ify mysql, SELECT, UPDATE, INSERT ..

!

+4

php mysql sql-injection pdo

Corey Hart 12 . '17 13:19

1

Sepultura · Accepted Answer · 2017-06-12T13:30:52+0000

, , (, $_GET) , :

$search = $_GET["search"];
$searcharray = explode('|', $search);
$query=("SELECT username,sender,message,subject,timestamp,threadid,msgtype 

FROM Messages WHERE  :searchParams IN CONCAT 
(message,subject)  ORDER BY timestamp");

$query = $conn->prepare($query);
$query->execute(['searchParams' => implode("'|'",$searcharray)]);

, .

Vaguely when mysql code is injection proof using PDO

More articles: