All geek questions in one place

Do I need to avoid entering a database?

I read that with PDO you do not need to exit the variables if you use "prepare" and pass the variables in progress:

$st = $dbh->prepare("INSERT INTO mytable (name,email) VALUES (?,?)"); $st->execute(array($_POST['name'], $_POST['email']));

It's true?

Or do I still need to do something with $ _POST?

+6
source share
3 answers

Shielded operations are not required in prepared operations (and spontaneous shielding will lead to double shielding, as a result of which shielded data will be written to the database).

However, prepared PDO instructions CANNOT process all variants of queries, and sometimes you will have to insert "other" data directly into the query string, which means that you are responsible for escaping it. In particular, dynamic queries that change the names of tables and / or fields cannot be specified using prepared statements. eg.

 SELECT ? FROM ? WHERE ?=?

impossible. Only values โ€‹โ€‹can be specified using placeholders.

+5
source

Short answer: No, you do not need to save anything. Parameterization queries are absolutely awesome! :)

Long answer: No, you do not need to hide anything, since it is included in the database. However, you should use htmlspecialchars when displaying database output from queries to prevent XSS attacks, otherwise you will end up with something like this in an arbitrary field:

<script type="text/javascript">alert('sup, I'm in ur site!');</script> .

+2
source

It's true; the code is correct (although you can handle the case when $_POST['name'] not set).

The function of prepared PDO statements passes values โ€‹โ€‹in a format that does not need to be explicitly escaped.

+2
source

Source: https://habr.com/ru/post/903117/

More articles:


All Articles