SQL Injection Handling?

Everything else can be posted here...

SQL Injection Handling?

Postby insaneuser » November 26th, 2014, 6:14 pm

I feel compelled to ask the stupid question, "SQL Injection Handling?" I guess I could plow through the code and verify, or use various cheat sheets to probe. But I just figured I'd ask instead.
insaneuser
Casual Member
 
Posts: 1
Joined: November 26th, 2014, 6:04 pm

Re: SQL Injection Handling?

Postby GeekCaveCreations » November 29th, 2014, 9:56 pm

Program O uses several methods to prevent SQL injection. The first line of defense is in not using $_GET or $_POST to obtain form variables. Instead, the script uses filter_input_array() for both GET and POST, and then combining them into a common variable called $form_vars. This single array holds all form inputs.

Secondly, since Program O now uses PDO, rather than MySQL, all queries are run through PDO::prepare() using named placeholders in the query, with variables passed to the query via either PDOStatement::bindValue() or PDOStatement::bindParam(). This serves to properly escape non-standard characters before the query is executed, thus reducing the risk of injection.

Security is something we take very seriously, so we try to take any necessary precautions with the script. I hope this answers your questions. :)
Comforting the disturbed, and disturbing the comfortable
Chat with Morti
User avatar
GeekCaveCreations
Safe, Reliable Insanity, Since 1961
 
Posts: 1115
Joined: April 18th, 2011, 10:52 pm
Location: Nevada, USA


Return to Off Topic

Who is online

Users browsing this forum: No registered users and 2 guests

cron