Jump to content

Recommended Posts

Hi phpfreaks

 

I have created this method that is using pdo and the pdo query() method my question is I would usual use mysql_real_escape_string but I am not sure if I should or not.

 

The information is saying that if I use prepare I don't and is I use query I do have to santise. Any information

would be greatly appreciated.

 

    private function queryPDO($query) {
         
        try {
        echo "QueryPDO<br>";
            $this->dataObj->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
            $stmt = $this->dataObj->query($query);
            $result = $stmt->fetch(PDO::FETCH_OBJ);
             print_r($result);

        } catch (PDOException $e) {

            $e->getMessage();
        }
        return $result;
    }

Link to comment
https://forums.phpfreaks.com/topic/225919-sanitise-pdo-query/
Share on other sites

can just build your own sanitize if want

I removed a few characters you may want, I don't even remember what they were, but you get the idea

 

function anti_injection($sql) {
                $sql = preg_replace(sql_regcase("/(127.0.0.1|drop table|show tables|\'|'\| |;|\|'|<|>|\*|--|\\\\)/"), "" ,$sql);

                $sql = trim($sql);
                $sql = strip_tags($sql);
                $sql = (get_magic_quotes_gpc()) ? $sql : addslashes($sql);
                return $sql;
            }

Link to comment
https://forums.phpfreaks.com/topic/225919-sanitise-pdo-query/#findComment-1166383
Share on other sites

But there is already functions

 

PDO::quote()

http://docs.php.net/manual/en/pdo.quote.php

 

Returns a quoted string that is theoretically safe to pass into an SQL statement. Returns FALSE if the driver does not support quoting in this way.

 

Bit the preferred method is this but takes more work.

http://docs.php.net/manual/en/pdo.prepare.php

 

I often wondered why they don't make databases default to not accept bad characters, if anything make an "accept this bad character function" ha ha

Link to comment
https://forums.phpfreaks.com/topic/225919-sanitise-pdo-query/#findComment-1166392
Share on other sites

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.