Forums
RS-Linkify
Quick find code: 261-262-33-65181208
You don't need to escape database input if you parameterize queries (I use PDO)
They're especially nice because you don't need to send the query each time you want to make a request. You just send different parameters.
For example:
$query = "SELECT * FROM table_name WHERE user = :user";
$query_params = array(":user"=>trim($_GET['user']));
try{
$stmt = $this->db->prepare($query);
$result = $stmt->execute($query_params);
}catch(PDOException $ex){
die("Something went wrong!"
;
}
print_r($stmt->fetchAll());
You should still do more to your $_GET than trim it, but you'll be pretty safe from SQL injection. For rs display names, just chop it at 12 characters, remove non-alphanumeric characters besides hyphens/underscores/spaces, and call it a day. RSN's are probably the safest things to take in as input :p
They're especially nice because you don't need to send the query each time you want to make a request. You just send different parameters.
For example:
$query = "SELECT * FROM table_name WHERE user = :user";
$query_params = array(":user"=>trim($_GET['user']));
try{
$stmt = $this->db->prepare($query);
$result = $stmt->execute($query_params);
}catch(PDOException $ex){
die("Something went wrong!"
}
print_r($stmt->fetchAll());
You should still do more to your $_GET than trim it, but you'll be pretty safe from SQL injection. For rs display names, just chop it at 12 characters, remove non-alphanumeric characters besides hyphens/underscores/spaces, and call it a day. RSN's are probably the safest things to take in as input :p
25-Jan-2014 04:24:48 - Last edited on 25-Jan-2014 04:25:25 by Meredith wtf
Quick find code: 261-262-33-65181208 Back to Top