I currently have this type of PDO statement to INSERT variables into the array below. I was told using PDO statements would be the most secure way of doing an insert in PHP.
$qry = $db->prepare('INSERT INTO twocents (path, name, message) VALUES (?, ?, ?)');
$qry->execute(array($path, $name, $message));
Now, would setting $path, $name, and $message to the POST values from a posted form still be as secure? I’m not sure how else you would do an INSERT if those variables weren’t being set by anything.
Thanks!
Yes, this is completely secure in terms of SQL injections prevention.
However, you’ll probably still need to escape the data on output, e.g. if
$messageyou received is<script language="Javascript" src="http://evil.site.com/evil.script.js"></script>, you probably wouldn’t want to output it with<p><?=$message?></p>. Some template engines (XSLT for example) eliminate this problem by separately processing HTML (XML) code and data, so that in<p><xsl:value-of select="message"/></p>,messageis treated as a<p/>node text value, and is automatically escaped when writing a processed XML into a string.