php - [SOVLED]PDO/MySQL Prepared Statement Injection Semi Colon -
i wondering why in prepared statement characters formular user input aren't escaped expect be. here code @ particular part:
if( isset( $_post['key'] ) && strlen($_post['key']) <= 15) { $sql = "select titel, date, content news content :content or titel :title"; if( $stmt = $pdo->prepare($sql) ) { $temp = "%".$_post['key']."%"; // not manually escaped here $stmt->bindparam(':content', $temp); // should escape!? $stmt->bindparam(':title', $temp); // should escape!? $stmt->execute(); $stmt->bindcolumn("titel", $title, pdo::param_str); $stmt->bindcolumn("datum", $date, pdo::param_str); $stmt->bindcolumn("inhalt", $content, pdo::param_str); while( $stmt->fetch() ) { echo "<span class='head'>".$title." :: ".$date."</span><br />".shorten($content)."...<br /><hr>"; // function shorten shortens content preview reasons } // ends statement $stmt = null; // ends connection $pdo = null; } else { $err .= "statement wasn't prepare()'ed!"; } } else { $err .= "no or false input!"; } so works alright, when enter ';' example throws out every result. im' not sure if escapes input properly. missing sth or there not characters escaped? if they? rather escape them manually.
i wondering why in prepared statement characters formular user input aren't escaped expect be.
because expectations wrong.
prepared statement not involve escaping @ all
if - honest semicolon character totally harmless, , require no escaping @ all.
pdo/mysql prepared statement injection
there no possible injection in code, safe.
when enter ';' example throws out every result.
that's question, irrelevant injections , escaping. double-check data , other premises.
by way, shorten code bit
$sql = "select titel, date, content news content ? or titel ?"; $temp = "%".$_post['key']."%"; $stmt = $pdo->prepare($sql); $stmt->execute(array($temp,$temp)); while( $row = $stmt->fetch() ) { extract($row); echo "<span class='head'>$titel :: $date</span><br />".shorten($content)."...<br /><hr>"; }
Comments
Post a Comment