How to remove potentially bad data from PHP and PDO MySql -
i'm using mysql executing queries:
public function query($query, $params = array(), $format = array()) { if ( !is_array( $params ) ) return false; $dbh = parent::$dbh; if ( empty($dbh) ) return false; $stmt = $dbh->prepare($query); if ( !empty($format)) { $values = array_values($params); foreach ( $format $key => $bind ) { switch ($bind) { case '%d': $stmt->bindvalue($key + 1, $values[$key], pdo::param_int); break; case '%s': $stmt->bindvalue($key + 1, $values[$key], pdo::param_str); break; default: $stmt->bindvalue($key + 1, $values[$key], pdo::param_str); break; } } } $stmt->execute($params); return $stmt; } how can safely remove invalid characters search uses like:
for instance:
$filter = "filter's"; if (isset($filter)) { $search_filter = 'content \'%'.$filter.'%\''; $sql = "select $search_filter messages"; $stmt = $this->query($sql); }
the simplest way use pdo::quote
change assignment of $search_field
$search_filter = 'content '.$dbh->quote("%".$filter."%"); if want move parameterized queries do
$sql = "select * messages content ?"; $params = "%".$filter."%"; $stmt = $dbh->prepare($sql); $stmt->execute($params); 
Comments
Post a Comment