Hello. Recently began to study PDO Mysql. Faced such a question, I write a file of personal pages for users, and do a selection of the database. I wanted to clarify whether it is necessary to filter the $ _GET ['username'] variable or is it enough to run it through bindParam? Is it possible to get SQL Inj? Thank)

$stmt = $db->prepare('SELECT `id`, `username` FROM `accounts` WHERE `username` = :username LIMIT 1'); $stmt->bindParam(':username', $_GET['username'], PDO::PARAM_STR); $stmt->execute();
  • isset($_GET['username']) is at least needed to make sure that the variable is available at all. - Visman
  • That's the way to go? $ username = isset ($ _ GET ['username']); $ stmt = $ db-> prepare ('SELECT id , username FROM accounts WHERE username =: username LIMIT 1'); $ stmt-> bindParam (': username', $ username, PDO :: PARAM_STR); $ stmt-> execute (); - VaDoSiQ
  • php.net/manual/ru/function.isset.php if (! isset($_GET['username'])) {exit('Пошли на фиг! С новым годом!');} at the beginning of the script that uses $_GET['username'] PS Before using any data that came from the side, you need to check their presence as a minimum. As a maximum - drive through the validator. - Visman
  • Well, do you need filtering? In the case of $ _GET ['id'], intval ($ _ GET ['id']) filtering is needed - VaDoSiQ
  • Injection is excluded in any case. For this you can not worry. Additional checks are generally needed only to ensure that the request (or the entire script) does not end with an error, but it was possible to give the user a more intelligible error message - Mike

0