I use PDO, and the prepared requests. But the essence is that, for example, I receive a message from the input field of the textarea type

лалала, привер всем! \n (это перенос строки когда в textarea происходит enter) я юзер который отправил смс!

So what is the point, is it safe to immediately insert a PDO prepared request, the content that came from the user, directly?

Now I use a bunch of regular expressions, to check the contents, but many complain that the form says errors like "FIELD is not filled correctly", and every time I add, cut out all forms of UNION, SELECT, etc. from the forms ...

  • I think that is normal, but when you display these messages, then screen them - jashka
  • But I use $ pdo-> prepare (); , and in sql query placeholders, it shields itself, and this is the trick - user190134
  • So it’s safe, then they are prepared batmen - jashka
  • It turns out that you can insert data into the sql query directly from the user input field, but do not advise everyone, that's why I asked the question like this .. From the documentation: call PDO :: prepare () .... and also help to avoid SQL injections , as there is no need to screen the transmitted parameters. - user190134
  • in any case, you can never trust users - jashka

1 answer 1

You have somewhat contradictory statements. In the question you write:

Is it safe to immediately insert a prepared request for a PDO, the contents of which came from the user, directly?

This is not entirely in Russian, but it can be understood that you substitute the data that came from the user into the request. Of course, you can't do that.

However, in the comments you write that

But I use $ pdo-> prepare (); , and in sql query placeholders,

That is, you do not substitute anything into the request directly. But then again:

It turns out that you can insert data into the sql query directly from the user input field, but do not advise everyone,

You are already defined - you substitute something in request directly, or not.

If the data is really substituted into the request directly, for example:

 $stmt = $pdo->prepare("SELECT name FROM users WHERE email = '{$_GET['email']}'"); $stmt->execute();

such a request is, of course, insecure .

But if placeholders are used, for example

 $stmt = $pdo->prepare('SELECT name FROM users WHERE email = ?'); $stmt->execute([$_GET['email']]);

here the data is not directly inserted into the request , which makes it safe .

  • Is it safe to insert data like this in the query? Through placeholders .... - user190134
  • one
    If it were not safe, then there would be no sense in them - Ipatyev