To understand user data validation for prepared statements

Question

To understand user data validation for prepared statements

I read that you do not need to check or misinform user input if you use prepared instructions.

This, however, does not make sense to me in the following example.

The user gives his email address.

I usually run this

Security Code

 // to validate data
 if (!filter_var($_POST['email'], FILTER_VALIDATE_EMAIL)) {
     header("Location: index.php");
     die("Wrong email-address");
 }

The statement said that we do not need to validate the data if we use prepared statements, as shown below.

Code without verification code

 // to get email-address nad passhash from the db
 $result = pg_prepare($dbconn, "query2", 'SELECT email, passhash_md5
     FROM users WHERE email = $1
     AND passhash_md5 = $2;');
 $result = pg_execute($dbconn, "query2", array($_POST['email'], $_POST['password']));
 if(!$result) {
     echo "An error occurred";
     exit;
 }

I'm not sure if we need a verification code or not in the last code, since we use pg_prepareand pg_execute.

Do you need to check and sanitize user input if you use prepared instructions?

+3

database php

Léo Léopold Hertz 준영 08 . '09 2:51

3

, .

, , .

+6

Till Theis 08 . '09 3:03

gapple · Answer 1 · 2009-08-08T03:31:03+0000

.

, . , - - , , . . , . , , , , .

Sanitizing , ( -, XSS ). INSERT INTO people (names) VALUES('$name') , $name = "O'Reilly", . , , , , , SQL-.

, , , PostgreSQL , , .

Michael moussa · Answer 2 · 2009-08-08T02:57:09+0000

, , , , .

For example, if you have a form requesting a phone number, the user entering "jkl; asdgfjkladg" will not damage your database, but the data cannot be useless.

Never trust your users to do what they should do. If you accept input from users, make sure they do it correctly.

To understand user data validation for prepared statements

More articles: