Is the data being transmitted correctly in this function? Is another screening method possible? bindparam does not work for $ DBH-> query

public function CheckAuth($email, $password) { $DBH = Registry::get('DBH'); try { $email = $DBH->quote($email); $password = $DBH->quote($password); $STH = $DBH->query("SELECT id FROM user WHERE mail=$email AND password =$password"); $result = $STH->setFetchMode(PDO::FETCH_ASSOC); while ($row = $STH->fetch()) { return $row['id']; } } catch (PDOException $e) { print $e->getMessage(); } }

    1 answer 1

    If you use this function to build SQL queries, it is strongly recommended that you use the PDO :: prepare () method to prepare a query with pseudo-variables instead of using PDO :: quote () to insert data entered by the user into the SQL query. Prepared requests with parameters are not only more compact, more convenient, and more resistant to SQL injections, but also work faster than manually constructed queries, since both the client and the server can cache such queries in an already compiled form.

    docks PDO :: quote ()

    bindparam does not work for $ DBH-> query

    And once again to the docks. bindParam has such a method (or rather, bindParam ), and in its description there are examples of its use - the PDOStatement returned by the PDO::prepare() method. And about query() you can already guess from the name that it executes a query here and now , not to mention, forgive my affection, about the docks .

    • 2
      docks for wimps, better to ask on the forum - Gedweb