This question has already been answered:

Tell me the functions for protection) here’s the request itself) All parameters to the method are transferred from the query string.

$catSlug = Slug категории $page = страница пагинации public static function catProductList($catSlug, $page = 1) { if ($catSlug) { $page = intval($page); $offset = ($page - 1) * self::SHOW_BY_DEFAULT; $db = Db::getConnection(); $catProd = array(); $result = $db->query("SELECT * FROM product WHERE status='1' AND category_sl='$catSlug' ORDER BY id DESC LIMIT ".self::SHOW_BY_DEFAULT." OFFSET ".$offset); $i = 0; while($row = $result->fetch()){ $catProd[$i]['id'] = $row['id']; $catProd[$i]['name'] = $row['name']; $catProd[$i]['price'] = $row['price']; $catProd[$i]['image'] = $row['image']; $catProd[$i]['is_new'] = $row['is_new']; $catProd[$i]['slug'] = $row['slug']; $i++; } return $catProd; } }

Reported as a duplicate by participants Alexey Shimansky , sanmai , Ipatiev , Visman , PashaPash 8 Sep '17 at 21:51 .

A similar question was asked earlier and an answer has already been received. If the answers provided are not exhaustive, please ask a new question .

  • And where is the request filtering itself? SQL protection comes with a special function list. So for MySQL in PHP there are mysqli_real_escape_string($db, query) for PDO there are new queries, and so on. - Evgeny Ivanov
  • Well, I'm talking about this. I do not know what function to use - Gaioz
  • one
    No (and 11 characters) - Visman
  • tell me the function to protect - Gaioz
  • phpfaq.ru/pdo#prepared - Visman

1 answer 1

In principle, if you strictly follow the data types that come into the table, you can do without the special data-shielding functions. But, in the case of inattention, problems may arise. And since you already use PDO, work with prepared expressions. What may seem difficult at first glance, and it is easy to make a mistake, but there is a solution, the transfer of data to prepared expressions in an array, they work fine with it.

  • Funny comment. Suppose I strictly followed that $ catSlug is of my type sting. So you can do without? - Ipatiev
  • Strictly follow this, for example, use only numbers as keys in the database and nothing but digits, nor any lines at all and not to miss anything other than digits of a certain length. And write, in the database only the text, nor any special characters and other things. - Denis
  • Wut ?! What are the "keys in the database"? - Ipatiev
  • Enough of a fool to play)) You know what I mean. And judging by the karma must understand)) And the fool is clear. That if it is impossible to pass in the request, let's say a string, only a number, then how to get data from the desired cell will not work. What is SQL injection and how they work, I think you should not explain, judging by the karma. And yes, I use prepared expressions in my projects. It is a pity there is no opportunity to discuss, so I would have talked with you on this topic. - Denis
  • @Denis, you answer a duplicate of a popular question, to which a detailed answer has already been given. and you answer briefly, without details, and already after the author of the question was pointed out to the fact of a duplicate - hence there is such a tough reaction from some participants :) - PashaPash