Home/ Questions/Q 8376847
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-06-09T15:31:26+00:00

I’m trying to insert the visitor’s inputs into a database. This works, but –

  • 0

I’m trying to insert the visitor’s inputs into a database.
This works, but – is this good enough to prevent sql injection ?

<?php
$db_host = "localhost";
$db_name = "db_qadenza";
$db_user = "root";

$odb = new PDO ("mysql:host=" . $db_host . ";dbname=" . $db_name, $db_user);

if(isset($_POST['Submit']))
{
$user = $_POST['user'];
$pass = $_POST['pass'];
$mail = $_POST['mail'];
$confirm_key=md5(uniqid(rand()));

$q = "INSERT INTO members (user, pass, mail, confirm_key)
VALUES(:user, :pass, :mail, :confirm_key);";

$query = $odb->prepare($q);
$results = $query->execute(array(
":user"=>$user,
":pass"=>$pass,
":mail"=>$mail,
":confirm_key"=>$confirm_key,
));

exit();
}
?>
Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    There are two issues with your code.

    1. You are using emulated prepared statements. This is the default behavior for PDO_MYSQL driver. To circumvent it, you should add: 

      $odb->setAttribute(PDO::ATTR_EMULATE_PREPARES, false);

      In combination with missing charset for the communication with DB, which can make your code open to injections. For establishing the connection you should use:

      $odb = new \PDO('mysql:host=localhost;dbname=******;charset=UTF-8', 
                'user', 'pass');

    2. Your method of hashing password is insecure (or, actually, does not exist). Instead you should use crypt() function with CRYPT_BLOWFISH or PBKDF2 and different salt for each password.

    Also , you might consider using bindParam() method for seting the aluse of named parameters, since setting them through execute() would bind the values as PDO::PARAM_STR, but there are other options, that you might find useful.

    • 0