Sign Up to our social questions and Answers Engine to ask questions, answer people’s questions, and connect with other people.
Login to our social questions & Answers Engine to ask questions answer people’s questions & connect with other people.
Lost your password? Please enter your email address. You will receive a link and will create a new password via email.
Please briefly explain why you feel this question should be reported.
Please briefly explain why you feel this answer should be reported.
Please briefly explain why you feel this user should be reported.
I use PHP and make my SQL calls with an ORM called Idiorm.
A request might look like this:
$person = ORM::for_table('person')->create();
$person->name = $_POST['name'];
$person->age = $_POST['age'];
$person->save();
It works just fine but it might not be secure against SQL injections? What is the correct / best way to solve this? Example?
From their readme:
However, for the table name it says
Same goes for limiting, ordering and grouping, so for those you need to think of alternate methods (such as letting only ascii-7 chars to pass, for example). If you need to do it, limits are just integers, so you can do ctype_digit check. For ordering and grouping, you could check for alphanumerics, assuming you don’t have anything else in your column names. That can be done with ctype_alnum.
But the query you have there it should be fine as it doesn’t have those.
Of course, you shouldn’t just believe it – test it.