Friday, 15 February 2013

php - What needs to be escaped in a query when inserting data from textarea? -



php - What needs to be escaped in a query when inserting data from textarea? -

i have simple comment system, user inputs text textarea, php script runs, checks if user logged in, if submit pressed , filled out - goes on inserting data. question is, need escape/trim/strip? right query looks this:

$sql = $con->prepare("insert comments (user, comment, pageid, time) values (:user, :comment, :pageid, now())"); $sql->bindvalue(":user", $user, pdo::param_str); $sql->bindvalue(":comment", $comment, pdo::param_str); $sql->bindvalue(":pageid", $pageid, pdo::param_int); $sql->execute();

the variables come form using post method. secure sql injection or need trimming , escaping before inserting data?

as long you're using pdo prepared statements , placeholders, you're practically safe can be.

i recommend though utilize ->execute() array, it's much simpler manually binding variables.

$sth = $con->prepare('insert comments (user, comment, pageid, time) values (?, ?, ?, now())'); $sth->execute(array($user, $comment, $pageid));

php sql pdo escaping code-injection

Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)