0

Insert unsafe string to database

Hello, I have to insert to my db table some unsafe data that can have query(SQL injection) inside. Is there a secure way to insert this data? I am using pdo but I have only access to query() method.

14th Jun 2017, 10:18 PM
Mateusz Nowak
Mateusz Nowak - avatar
2 Réponses
+ 2
You can use prepared statement: $connection = new PDO("mysql:host=localhost;dbname=database", $username, $password); $sql = "SELECT * FROM table WHERE search = :search"; $statement = $connection->prepare($sql); $statement->bindParam(":search", $_GET["search"]); $statement->execute(); // Other codes http://php.net/manual/en/pdo.prepared-statements.php
18th Jul 2017, 6:33 PM
$machitgarha
$machitgarha - avatar
0
in java there is a PreparedStatement object that I use for mySql insertions and updates and those thing (use ResultSet for queries) not sure about php tho. im sure there are functions :/
18th Jun 2017, 6:27 AM
Michael Szczepanski
Michael Szczepanski - avatar