my question of day is. need escape pdo in script?
$columns = implode(", ",$column); $query = ''.$query.' '.$columns.' '.$table.''; $dbh_query = $dbh->prepare($query); $dbh_query->execute(); $dbh_querys = $dbh_query->fetchall(); return $dbh_querys; the whole script can found at. https://github.com/joshuahiwat/crud/blob/master/control/query_connector.class.php
can explain why need escape @ time or why not.
i hear you, lot!
the parts of query dynamic table name , column names. can't use bind functions these parts of query. bind functions can used parts of query otherwise simple value in sql query. numeric constant, or quoted string or quoted date literal.
to avoid sql injection dynamic table names or column names, have following choices:
- use values predefined in class, or otherwise safe. don't use external content users or other source.
- use escaping. note function
pdo::quote()doesn't kind of escaping need table names or column names. - create "whitelist" of known table names , column names respective table, , compare dynamic input whitelist. if doesn't match whitelist, raise error.
Comments
Post a Comment