Page 2 of 2 First 12
  • Jump to page:
    #16
  1. --
    Devshed Expert (3500 - 3999 posts)

    Join Date
    Jul 2012
    Posts
    3,959
    Rep Power
    1014
    Use what?
    The 6 worst sins of security ē How to (properly) access a MySQL database with PHP

    Why canít I use certain words like "drop" as part of my Security Question answers?
    There are certain words used by hackers to try to gain access to systems and manipulate data; therefore, the following words are restricted: "select," "delete," "update," "insert," "drop" and "null".
  2. #17
  3. No Profile Picture
    Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Apr 2013
    Posts
    40
    Rep Power
    2

    Re:


    I mean what does "->" mean?
  4. #18
  5. No Profile Picture
    Contributing User
    Devshed Frequenter (2500 - 2999 posts)

    Join Date
    Dec 2004
    Posts
    2,989
    Rep Power
    375
    read up on objects.

    also: http://wiki.hashphp.org/PDO_Tutorial_for_MySQL_Developers is a pDO tutorial
  6. #19
  7. No Profile Picture
    Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Apr 2013
    Posts
    40
    Rep Power
    2

    Re:


    Got it.

    I just wrote this new code using PDO to INSERT a query to the database.

    Is this secure - or am I still at risk for SQL injections??

    Have a look:

    PHP Code:
    $stmt $con->prepare("INSERT INTO pixs(title, Price, location, Description, picname, picname2, date, phonenumber, email) VALUES(:title, :Price, :location, :Description, :picname, :picname2, :date, :phonenumber, :email)");
    $stmt->execute(array(':title' => $title':Price' => $price':location' => $location':Description' => $description':picname' => $picname':picname2' => $picname2':date' => $today':phonenumber' => $phonenumber':email' => $email)); 
    Last edited by requinix; May 30th, 2013 at 02:27 PM. Reason: code tags to avoid the emoticons
  8. #20
  9. Mad Scientist
    Devshed Expert (3500 - 3999 posts)

    Join Date
    Oct 2007
    Location
    North Yorkshire, UK
    Posts
    3,661
    Rep Power
    4123
    almost, remove the : from your second line and you're there.

    Also, it doesn't hurt to format things nicely:

    PHP Code:
    //
    $sql "
        INSERT
        INTO
            pixs (
                 `title`
                ,`Price`
                ,`location`
                ,`Description`
                ,`picname`
                ,`picname2`
                ,`date`
                ,`phonenumber`
                ,`email`
            ) VALUES (
                 :title
                ,:Price
                ,:location
                ,:Description
                ,:picname
                ,:picname2
                ,:date
                ,:phonenumber
                ,:email
            )
        ;
    "
    ;

    $args = array( 
         
    'title'        =>    $title
        
    ,'Price'        =>    $price
        
    ,'location'     =>    $location
        
    ,'Description'  =>    $description
        
    ,'picname'      =>    $picname
        
    ,'picname2'     =>    $picname2
        
    ,'date'         =>    $today
        
    ,'phonenumber'  =>    $phonenumber
        
    ,'email'        =>    $email
    );

    $stmt $con->prepare($sql); 

    $stmt->execute($args); 
    The re-usability comes in when you use the same $sql (you don't need to call prepare and get another PDOStatement object) - all you do is rebuild $args with new values and run $stmt->execute($args); again
    Last edited by Northie; May 30th, 2013 at 03:58 PM.
    I said I didn't like ORM!!! <?php $this->model->update($this->request->resources[0])->set($this->request->getData())->getData('count'); ?>

    PDO vs mysql_* functions: Find a Migration Guide Here

    [ Xeneco - T'interweb Development ] - [ Are you a Help Vampire? ] - [ Read The manual! ] - [ W3 methods - GET, POST, etc ] - [ Web Design Hell ]
  10. #21
  11. Did you steal it?
    Devshed Supreme Being (6500+ posts)

    Join Date
    Mar 2007
    Location
    Washington, USA
    Posts
    14,068
    Rep Power
    9398
    Originally Posted by phpnewbie34
    Is this secure - or am I still at risk for SQL injections??
    Being answered over here.
  12. #22
  13. No Profile Picture
    Permanently Banned
    Devshed Newbie (0 - 499 posts)

    Join Date
    Jun 2013
    Posts
    23
    Rep Power
    0
    Locking down
    Encrypting data
    Least Privilege - Database account
    Least Privilege - Process account
    Cleaning and Validating input
Page 2 of 2 First 12
  • Jump to page:

IMN logo majestic logo threadwatch logo seochat tools logo