Reputation: 408
PDO Insert with POST
I currently have this type of PDO statement to INSERT variables into the array below. I was told using PDO statements would be the most secure way of doing an insert in PHP.
$qry = $db->prepare('INSERT INTO twocents (path, name, message) VALUES (?, ?, ?)');
$qry->execute(array($path, $name, $message));
Now, would setting $path, $name, and $message to the POST values from a posted form still be as secure? I'm not sure how else you would do an INSERT if those variables weren't being set by anything.
Thanks!
Upvotes: 0
Views: 1161
Answers (3)
Reputation: 7583
In some cases, it would probably be fine. However, you'd probably want to perform some type of sanitization on the $_POST data before inserting it into the prepared statement. Otherwise, you might get some gnarly data in the database. The prepared statement does help, regardless.
Upvotes: 0
Reputation: 9912
Yes, this is completely secure in terms of SQL injections prevention.
However, you'll probably still need to escape the data on output, e.g. if $message you received is <script language="Javascript" src="http://evil.site.com/evil.script.js"></script>, you probably wouldn't want to output it with <p><?=$message?></p>. Some template engines (XSLT for example) eliminate this problem by separately processing HTML (XML) code and data, so that in <p><xsl:value-of select="message"/></p>, message is treated as a <p/> node text value, and is automatically escaped when writing a processed XML into a string.
Upvotes: 1
Related Questions
- Inserting into database using a PDO
- PDO insert with $_POST?
- My simple html php form not inserting into database
- Insert with PDO
- Insert form value into mysql database with pdo
- Insertion using PDO php
- form for inserting using php and pdo
- INSERT with PDO $_POST not working
- PHP Insert using PDO
- Inserting values in database through PHP form