All geek questions in one place

I still need to use a prepared expression

Using PHP and MySQLi I have a simple form with 4 dropdowns of HTML 5 Dropdown. Now I wonder if I still have to use the Prepared Statement to protect my database? Am I still in danger of SQL injection? Or there is some other type of risk for using this type of inputs. Thanks

+6
source share
1 answer

You are still wide open for an injection attack, since the value inserted in the selection box can be easily changed by the end user.

If you have a good side to the verification server, then doing this without a prepared statement will work.

With good, I mean something like this:

$array = Array("all", "your", "possible", "values", "from", "Select boxes"); if(in_array ($_POST['selectbox'], $array)){ //Mysql statements etc.... }

Directly inserting user input is NEVER a good idea. You should never trust the end user!

+9
source

Source: https://habr.com/ru/post/974941/

More articles:


All Articles