Reputation: 3920
MYSQL interval query SQL injection
I have this simple MYSQL query:
SELECT * FROM table WHERE date > now() - INTERVAL $hours HOUR
$hours is a PHP GET variable. Do I have to do any check on this variable before using it in the query to avoid SQL injection or is it secure enough? I use PDO statements
Upvotes: 0
Views: 232
Answers (2)
Reputation: 176
Something like this would be good:
$sth = $Db->dbh->prepare("SELECT * FROM 'table' WHERE date > now() - INTERVAL :hours"); $sth->execute(array(':hours'=>$hours,':secondThing'=>$variable));
That's a way to esacpe your strings. This can be different from your code but the array in the execute and query will be the same (if you use PDO.)
Upvotes: 1
Reputation: 4284
Use prepared statements
See How can I prevent SQL-injection in PHP?
Maybe you are getting variables directly from $_POST or $_GET
$unsafe_variable = $_POST['user_input'];
Upvotes: 0
Related Questions
- mysql date interval, php date interval
- mysql - Query by interval and or returning nothing
- Select time intervals MySQL
- SQL Query using INTERVAL
- What is wrong with this INTERVAL syntax in my PHP MYSQL code?
- Select from table where clause is interval
- MySQL: INTERVAL problems
- MySQL queries and intervals
- SQL query - problem with interval
- select query for time interval in mysql and php