Peeech
Reputation: 694
Do I need to sanitize results from database query?
Our application in PHP / MySQL uses PDO prepared statements to insert data from user without any sanitizing. In the later stage user can copy created entries, thousand at the time.
For copying part we have tested:
$stmt = $pdo->prepare("INSERT INTO files (`a`,`b`,`c`) VALUES (?,?,?)");
$pdo->beginTransaction();
foreach ($data as $row) {
$stmt->execute($row);
}
$pdo->commit();
vs
$pdo->exec("INSERT INTO files (`a`,`b`,`c`) VALUES . implode(', ', $loop_query));
$row represent rows from database. First one is 3 times slower than second. We would like to implement second approach.
How safe is using data from database without prepared statements?
Upvotes: 0
Views: 251
Answers (2)
Saic Siquot
Reputation: 6513
It is not safe. As you mention, data on DB is raw.
If you retrieve it to the programming language (php in this case) and use again in a sql sentence it must be protected again against sql injecton.
can't you do a insert (fields) select values instead?
Upvotes: 1
Related Questions
- How to sanitize the query?
- Can I "unsanitize" during a PDO SELECT?
- Prevent SQL Injection: Do I need to escape input before binding values into a PDO query
- Do I need to sanitize data from database?
- Do I have to sanitize user input with prepared SQL statements?
- Correct way to sanitize input in MySQL using PDO
- Sanitizing Form Input in PDO-based Query
- PHP PDO Sanitize variables
- Do SQL LIKE queries require any special attention when it comes to sanitising data?
- Should i sanitize/filter user input and output when using PHP PDO?