Excluding a line with PHP PDO

Question

Excluding a line with PHP PDO

class _display
{
    private function threads($id){
        $this->dbh->prepare("select threads where id = :id");
        $this->dbh->execute(array(':id' => $id));
        $row = $this->dbh->fetch(); 
    }
}


$id = $_GET['id'];

Do I need to do anything with the $ id?

+3

php pdo

user3902523 07 Aug 14 at 10:15

source to share

2 answers

Piskvor · Answer 1 · 2014-08-07T10:21:21+0000

TL; DR: No, parameters in prepared statements must not be escaped.

The whole problem of speeding up SQL queries arose due to the fact that the ancient library mysql_ * only passed the entire query as a string without specifying "this is syntax" and "this is data" - this was implied from the syntax, and the responsibility for the fact that the caller submitted in a valid application; which also allowed malformed / malicious data to be handled as syntax, leading to SQL injections, etc.

Prepared statements take a different approach: you submit a request with placeholders and you pass the data separately. Because of this, you don't need to avoid the data as it is already separated from the syntax. (Of course, prepared statements are not a silver bullet, but using them effectively closes one of the main vulnerabilities)

Pk boss · Answer 2 · 2014-08-07T10:26:56+0000

You can bind $ id value

 $get=$this->dbh->prepare("select threads where id = ?");
 $get->bindValue(1,$id,PDO::PARAM_INT);
 $data = $get->execute();
 $data=$get->fetch(PDO::FETCH_ASSOC);

This will reduce the chance of SQL injection overlap since we are binding the id to an integer and this is best practice.

Excluding a line with PHP PDO

More articles: