- PHP: using prepared statements and protecting against SQL injection vs escape
- select {$fields} from {$table} where Age='{$age}' order by {$orderby_pref}
- $fields = mysql_escape($fields);
- $table = mysql_escape($table);
- $age = mysql_escape($age);
- $orderby_pref = mysql_escape($orderby_pref);
- select {$fields} from {$table} where Age='{$age}' order by {$orderby_pref}
- # Order
- switch(strtoupper($Order)){
- default:
- case 'ASC':
- $Order = 'ASC';
- break;
- case 'DESC':
- $Order = 'DESC';
- break;
- }
- # ID
- $ID = 39;
- $Username = 'David';
- # Query
- $Query = $this->DB->Main->prepare('SELECT * FROM Table WHERE ID = :ID AND Username = :Username ORDER BY HellBob '.$Order);
- $Query->bindValue(':ID', $ID, PDO::PARAM_INT);
- $Query->bindValue(':Username', $Username, PDO::PARAM_STR);
- # All good ?
- if(!$Query->execute()){
- exit('Error');
- }
- // Results
- $Row = $Query->fetch(PDO::FETCH_ASSOC);
- $fields = explode(',', $user_supplied_fields);
- foreach ($fields as $field) {
- $field = trim($field);
- if (preg_match('/[^a-zA-Z0-9._]/', $field)) {
- // invalid field name
- return false;
- }
- }
Don't like ads? PRO users don't see any ads ;-)
Text below is selected. Please press Ctrl+C to copy to your clipboard. (⌘+C on Mac)
create a new version of this paste
RAW Paste Data