0
Insert unsafe string to database
Hello, I have to insert to my db table some unsafe data that can have query(SQL injection) inside. Is there a secure way to insert this data? I am using pdo but I have only access to query() method.
2 Respuestas
+ 2
You can use prepared statement:
$connection = new PDO("mysql:host=localhost;dbname=database", $username, $password);
$sql = "SELECT * FROM table WHERE search = :search";
$statement = $connection->prepare($sql);
$statement->bindParam(":search", $_GET["search"]);
$statement->execute();
// Other codes
http://php.net/manual/en/pdo.prepared-statements.php
0
in java there is a PreparedStatement object that I use for mySql insertions and updates and those thing (use ResultSet for queries)
not sure about php tho. im sure there are functions :/