Home/ Questions/Q 5945261
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-22T16:39:23+00:00

I’m letting users update their name with this code. $dbh = connect(); $q =

  • 0

I’m letting users update their name with this code.

    $dbh = connect();
    $q = $dbh->prepare('UPDATE Users SET username=:name WHERE User_ID=:id LIMIT 1'); 
    $q->bindParam(":id", $loggedInUser->user_id, PDO::PARAM_INT);
    $q->bindParam(":name", $_GET['name'], PDO::PARAM_STR);
    $q->execute();

A) is this enough to sanitize information?
b) when I put HTML tags in there like <b>name</b> it actually shows up in bold on my site! Is there an option where I can have PDO strip out all HTML?

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    Looks reasonably sound. I would suggest using POST instead of GET for destructive / manipulative operations though. You’re far less likely to suffer from CSRF attacks if you stick to POST data though it does not make you totally immune.

    If you do not actually want users to enter HTML into the name field, don’t worry about filtering data on the way into the database. Escape it on the way out via htmlspecialchars() or htmlentities().

    I’ve always stood by the idea that data should go into the database as raw as possible.

    Edit: Almost forgot, make sure the expected values in $_GET / $_POST actually exist before attempting to use them, eg

    if (isset($_POST['name'])) {
    // now use it
    • 0