Good day! I began to study PDO methods in principle, I understand everything, but I would like to clarify with knowledgeable people, in general, my insert request

DB::insert('table', array( 'vi' => $vi, 'data' => '', 'posi' => $_POST['na'], 'desc' => $_POST['des'], 'bu' => $_POST['zana'], 'ed' => $_POST['kv'], 'dat' => '$date', 'dop' => $_POST['dop_i'], 'priemt' => $_POST['pr'], 'spisok' => $_POST['spis'], 'date' => $date1, 'mesto' => $_POST['mest'], 'date' => $date, 'vacan' => '1', 'con' => $_POST['con'] ));

How safe is it in this form? I tried to slip the Placeholders% i% l% s instead of the values, but it gives an error. I realized that in this Inserta, the Placeholder will not work, but what is the risk of this query that there is a threat of SQL injection and XSS

  • This is not a insert request. This is a call to the static insert method of a custom DB class. It is necessary to look at the code of this class. - Shallow
  • Well the insert method in this form is safe? I can not disagree does not allow the configuration. - user263832
  • 3
    You can not answer without a code of this class - andreymal
  • one
    This class has nothing to do with PDO. - Visman
  • one
    And where does PDO? meekrodb is some sort of left-hand library for working with the database. uses mysqli and does not use bind_param. without which safety cannot be guaranteed. deeply analyze this code breaks. if you are interested, place in it a print of the executed queries right before sending it to the database and see what it is that nageneral was there - Mike

0