Was the PDO instruction used correctly?

Question

Was the PDO instruction used correctly?

I just need to make sure that I have prepared the PDO reports correctly, will the following SQL Injection code be protected?

$data['username'] = $username; $data['password'] = $password; $data['salt'] = $this->generate_salt(); $data['email'] = $email; $sth = $this->db->prepare("INSERT INTO `user` (username, password, salt, email, created) VALUES (:username, :password, :salt, :email, NOW())"); $sth->execute($data);

+6

php pdo

John May 06 '12 at 16:01

source share

2 answers

You can start with an empty array for $data like

 // start with an fresh array for data $data = array(); // imagine your code here

Your code looks good.

EDIT: I missed your call to NOW (). Imho, you should add it also with a variable binding, for example

 // bind date $data['created'] = date("Ymd H:i:s"); // updated prepare statement $sth = $this->db->prepare("INSERT INTO `user` (username, password, salt, email, created) VALUES (:username, :password, :salt, :email, :created)");

+1

Rob May 06 '12 at 16:06

source share

Florian margaine · Accepted Answer · 2012-05-06T16:09:16+0000

Yes, your code is safe. However, it can be shortened:

 $data = array( $username, $password, $this->generate_salt(), $email ); // If you don't want to do anything with the returned value: $this->db->prepare(" INSERT INTO `user` (username, password, salt, email, created) VALUES (?, ?, ?, ?, NOW()) ")->execute($data);

Was the PDO instruction used correctly?

More articles: