Wiki

User Tools

Site Tools

Trace: get_last_accessed_date_and_time_of_all_applications make_a_transparent_background_selection_on_an_image change_the_mac_address_of_an_ethernet_interface using_prepared_statements_to_stop_injection_attacks
pdo:using_prepared_statements_to_stop_injection_attacks

This is an old revision of the document!

PDO - Using Prepared Statements to Stop Injection Attacks

<?php
 
// Do some validation first!
if (filter_var($_GET['int_col'], FILTER_VALIDATE_INT) === false) {
  die('You must enter a valid integer!');
}
 
$dsn = 'mysql:dbname=my_database;host=myserver.com';
$username = 'username';
$password = 'password';
$user_id = 1;
 
// Set up PDO.
$pdo = new PDO($dsn, $username, $password);
 
// Our parametrized query using placeholders.  No need for quotes around values, it will do this for us.
$query = "SELECT secret_data FROM mytable WHERE string_col = ? AND int_col = ? AND user_id = ?";
 
// Our input values in order for the place holders.  No need to escape, it will do it for us!
$parameters = array($_GET['string_col'], $_GET['int_col'], $user_id);
 
// Prepare the query.
$statement = $pdo->prepare($query);
 
// Execute the query with our parameters
$statement->execute($parameters);
 
// Get the first returned row.
$row = $statement->fetch(PDO::FETCH_ASSOC);
 
?>
pdo/using_prepared_statements_to_stop_injection_attacks.1476438306.txt.gz · Last modified: 2020/07/15 09:30 (external edit)
Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki