is this a safe way to use SELECT via PDO

Possible Duplicate:
Best way to stop SQL Injection in PHP
How do I sanitize input with PDO?

I'm pulling in an id via $_GET . I just started using PDO and I'm unsure if this is safe or not. Obviously, the code below is using $_GET to grab an id. I'm not sanitizing it at all before I place it in the query. Is this safe?

<?php
if (isset($_GET['id'])) {
$blogid = $_GET['id'];
$post = $dbh->query("SELECT id, title, slug, body, image, author, date, category from   blog WHERE id='$blogid' ORDER BY date DESC");
$row = $post->fetch(); ?>

I'm not sanitizing it at all before I place it in the query

Nope. Not safe at all. :)

You either need to escape it, or use a prepared statement. With PDO, I would use a prepared statement:

if (isset($_GET['id']) && is_string($_GET['id'])) {
    $blogid = $_GET['id'];
    $stmt = $dbh->prepare("SELECT id, title, slug, body, image, author, date, category from   blog WHERE id= :id ORDER BY date DESC");
    $stmt->execute(array('id' => $_GET['id']));
    $row = $stmt->fetch();
}

It is NEVER safe to insert a variable in a SQL query without sanitizing/escaping it.

What you could do, if you don't want to escape it yourself is to use a prepare statement and bind your parameters.

You can check the PHP documentation...

About of how use PDO prepare: http://php.net/manual/en/pdo.prepare.php

How to use the parameters binding: http://www.php.net/manual/en/pdostatement.bindparam.php

链接地址: http://www.djcxy.com/p/93706.html

上一篇: 如何使网站更安全?

下一篇: 这是通过PDO使用SELECT的安全方式