Page 1 of 1

SQL Injection Handling?

PostPosted: November 26th, 2014, 6:14 pm
by insaneuser
I feel compelled to ask the stupid question, "SQL Injection Handling?" I guess I could plow through the code and verify, or use various cheat sheets to probe. But I just figured I'd ask instead.

Re: SQL Injection Handling?

PostPosted: November 29th, 2014, 9:56 pm
by GeekCaveCreations
Program O uses several methods to prevent SQL injection. The first line of defense is in not using $_GET or $_POST to obtain form variables. Instead, the script uses filter_input_array() for both GET and POST, and then combining them into a common variable called $form_vars. This single array holds all form inputs.

Secondly, since Program O now uses PDO, rather than MySQL, all queries are run through PDO::prepare() using named placeholders in the query, with variables passed to the query via either PDOStatement::bindValue() or PDOStatement::bindParam(). This serves to properly escape non-standard characters before the query is executed, thus reducing the risk of injection.

Security is something we take very seriously, so we try to take any necessary precautions with the script. I hope this answers your questions. :)