September 15th, 2013, 12:40 PM
I am reading the following articles as am guessing they are what I need to read up on as am guessing it relates to what I am doing
Donít insert raw values into query strings.
Donít output raw values or insert them into the HTML page.
September 15th, 2013, 12:45 PM
Yes, those are the articles you'll need.
Originally Posted by ianhaney
And I see you've taken the form offline. That's a good start.
September 15th, 2013, 12:51 PM
cool, lol yeah will learn what needs to be done first and will test it on localhost first and once all working will put it all back online
September 15th, 2013, 12:54 PM
Sorry quick one
Just reading this line
$database = new PDO('mysql:host=localhost;dbname=YOURDB;charset=utf8', 'YOURUSER', 'YOURPW', $db_options); // important! specify the character encoding in the DSN string, don't use SET NAMES
I take it the DSN string is the following and also says not to use set names, guess you mean not use the real dbname, hostname and password?, so how can it be encoded so is not using the set names or do you explain that in the article
$database = new PDO('mysql:host=localhost;dbname=YOURDB;charset=utf8', 'YOURUSER', 'YOURPW', $db_options);
September 15th, 2013, 04:15 PM
All you need to do is replace the placeholders "YOURDB", "YOURUSER" etc. with your real data.
The DSN string is the database configuration string starting with "mysql:...". If you want to set the character encoding of the connection, then you must do it in this string using the charset option. You must not use a SET NAMES query. Many bad tutorials suggest this, but it again can make your database code vulnerable to SQL injections.