Reputation: 175
PDO prepared statement security
This is my first participation is this great website, so I hope to get the first great answer to my question. I'm using the following code to insert data into MySQL database:
if ((isset($_POST["MM_insert"])) && ($_POST["MM_insert"] == "form2"))
{
$q = $conn->prepare("INSERT INTO client (name, address) VALUES (:name, :address)");
$q->bindValue(':name', htmlspecialchars($_POST['name']), PDO::PARAM_STR);
$q->bindValue(':address', htmlspecialchars($_POST['address']), PDO::PARAM_STR);
$q->execute();
}
Is the insertion secure enough? Should I use htmlspecialchars() the moment of insertion or rhe moment of displaying data?
Kind regards
Upvotes: 1
Views: 166
Answers (1)
Reputation: 64526
Yes your code is secure but as a general rule of thumb, store data in a neutral form. That is, not encoded for any specific output or medium. Do the encoding on the way out not in.
If you were to do the opposite and pass it through htmlspecialchars() before storing (like your code in the question), then your data is tied specifically to be output in HTML. If you wanted to output it elsewhere (such as an XML document for example), where htmlspecialchars() is not applicable, then you would have to first decode it.
Upvotes: 3
Related Questions
- How to create a secure mysql prepared statement in php?
- how safe are PDO prepared statements
- SQL Injection with Prepared Statements
- MySQL PHP PDO prepared statements - performance issues vs security
- multiple INSERTS and keeping PDO prepared statement security
- Php PDO query security
- PDO::Prepare safety
- PHP PDO Security
- Safely using prepared statements to query database
- PHP: Injection protection using prepared statements