Hot Summer Deals are Here!
Celebrate with up to 90% off on 15,600 resources
04
Days
09
Hours
01
Mins
17
Secs
View all deals

| Asking Devs | Trying to prevent sql injections using PDO

Status
This thread has been locked.
IAmVolvic

IAmVolvic

Supreme
Feedback score
4
Posts
177
Reactions
49
Resources
0
Hey I am trying to prevent sql injections using PDO
is this a good practise?
PHP: 
function esape2($string) {
    return htmlentities($string, ENT_QUOTES, 'UTF-8');
}

$getid = htmlentities($_GET['id']);
$id = esape2($getid);

$findpro = $forum->prepare("SELECT * FROM `store` WHERE `itemid`=:id");
$findpro->bindParam(':id', $id);
$findpro->execute();
$exists = $findpro->rowCount();
 
Click to expand...
PebbleHost
High performance, consistent uptime and fast support. Minecraft hosting that just works.
MaccariTA

MaccariTA

Feedback score
4
Posts
201
Reactions
47
Resources
0
As long as you use prepared statements properly, you're safe.
In this particular example, you're fine as of SQLi.

It's good to mention that "htmlentities" has nothing to do with SQL injection but XSS.
In addition, you do not need to "htmlentities" input, PDO already escapes id.

If you wish to prevent XSS, you need to "htmlentities" the output, not the input.
Anyhow, I'd recommend using "htmlspecialchars" over "htmlentities" because the latter can cause display problems.

PS: this page is vulnerable to SQLi.
 
IAmVolvic

IAmVolvic

Supreme
Feedback score
4
Posts
177
Reactions
49
Resources
0
MaccariTA said:
As long as you use prepared statements properly, you're safe.
In this particular example, you're fine as of SQLi.

It's good to mention that "htmlentities" has nothing to do with SQL injection but XSS.
In addition, you do not need to "htmlentities" input, PDO already escapes id.

If you wish to prevent XSS, you need to "htmlentities" the output, not the input.
Anyhow, I'd recommend using "htmlspecialchars" over "htmlentities" because the latter can cause display problems.

PS: this page is vulnerable to SQLi.
Click to expand...
My Database is MySQL is that still fine?[DOUBLEPOST=1544299556][/DOUBLEPOST]
Xenons said:
At least read the thread before spam replying
Click to expand...
Tell me about it, Spamming to get buyers is just out right annoying
 
Xazin

Xazin

Feedback score
2
Posts
20
Reactions
6
Resources
0
With SQLi and PreparedStatements you can avoid SQL Injection altogether.
Normally you would do this
Code: 
$name = $_POST['name'];
$mysqli->query("SELECT * FROM myTable WHERE name='$name'");

Where a preparedStatement looks like this

Code: 
$stmt = $mysqli->prepare("SELECT * FROM myTable WHERE name = ? AND age = ?");
$stmt->bind_param("si", $_POST['name'], $_POST['age']);
$stmt->execute();
//fetching result would go here, but will be covered later
$stmt->close();

What you are doing is using preparedStatement, so you're good to go as far as I can see. I'm not really into PHP, but I do work with professional web developers, and this is basically how we do it in C and Java too.
 
Status
This thread has been locked.
Top