Apache Friends Support Forum


https://community.apachefriends.org/f/

PDO sanitize?

https://community.apachefriends.org/f/viewtopic.php?f=16&t=76961

Page 1 of 1

PDO sanitize?

PostPosted: 11. May 2018 15:26
by Epiales
Okay, I have just started learning PDO and was curious if the below code is safe and secure? I"m used to doing the mysqli_real_escape_string, so all new to me. From what I've read online, I think it's secure, but never hurts to ask. Also, if this isn't the place, please let me know and I'll search another forum. Thank you and sorry if it's out of line.


Code: Select all
<?php

if(isset($_POST['register']))
{
 
include_once('dbconnection.php');

    // get values form input text and number
    $fname = $_POST['uname'];
   
    // mysql query to insert data

    $sql = "INSERT INTO `tbl_users`(`username`) VALUES (:fname)";
   
    $result = $con->prepare($sql );
   
    $query = $result->execute(array(":fname"=>$fname));
   
        // check if mysql insert query successful
    if($query)
    {
        echo 'Data Inserted';
    }else{
        echo 'Data Not Inserted';
    }
}
?>


Thank you much!

Re: PDO sanitize?

PostPosted: 12. May 2018 10:57
by Altrea
We cannot answer this because security is always a matter of use case. There are so many possible attack types.

For example if you want to know if your code is secure against all types of SQL injection attacks the answer is probably no.
One possible attack method is described here
https://stackoverflow.com/questions/134 ... -injection

Re: PDO sanitize?

PostPosted: 14. May 2018 22:58
by Epiales
Thank you for the link. Appreciate it :)
All times are UTC + 1 hour
Page 1 of 1
Powered by phpBB® Forum Software © phpBB Group
https://www.phpbb.com/