Home/ Questions/Q 9248925
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-06-18T10:04:04+00:00

$_pdo = new Data(‘mysql:host=’.$db_host.’;dbname=’.$db_name.’;port=’.$db_port, $db_user, $db_pass, array(PDO::MYSQL_ATTR_INIT_COMMAND => ‘SET NAMES ‘.$charset)); Variables come from

  • 0

$_pdo = new Data(‘mysql:host=’.$db_host.’;dbname=’.$db_name.’;port=’.$db_port, $db_user, $db_pass, array(PDO::MYSQL_ATTR_INIT_COMMAND => ‘SET NAMES ‘.$charset));

Variables come from form.
User can make a sql injection if I don’t strip this variables?

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    If you are accepting input from a form to create the connection I would probably use some sanitization functions to clean it up before using it. If this is being stored in a text file or a database it would be a good idea to sanitize before it is saved as well before it is used.

    http://php.net/manual/en/function.filter-var.php 

    $db_host = filter_var($db_host,FILTER_SANITIZE_FULL_SPECIAL_CHARS);

    Equivalent to calling htmlspecialchars() with ENT_QUOTES set. Encoding
    quotes can be disabled by setting FILTER_FLAG_NO_ENCODE_QUOTES. Like
    htmlspecialchars(), this filter is aware of the default_charset and if
    a sequence of bytes is detected that makes up an invalid character in
    the current character set then the entire string is rejected resulting
    in a 0-length string.
    http://www.php.net/manual/en/filter.filters.sanitize.php

    • 0