Im trying to work with PDO for the first time and I’m just wanting

Question

0

Asked: June 7, 20262026-06-07T09:27:02+00:00 2026-06-07T09:27:02+00:00

Im trying to work with PDO for the first time and I’m just wanting

0

Im trying to work with PDO for the first time and I’m just wanting to know how secure what I’m doing is, I’m also new to PHP.

I have a query that when a user is passed ot my page, the page takes a variable using GET and then runs.

With PHP I’ve always used mysql_real_escape to sanitize my variables.

Can anybody see security flaws with this?

// Get USER ID of person
$userID = $_GET['userID'];

// Get persons
$sql = "SELECT * FROM persons WHERE id =$userID";
$q = $conn->query($sql) or die($conn->error());
while($r = $q->fetch(PDO::FETCH_LAZY)){
    echo '<div class="mis-per">';
    echo '<span class="date-submitted">' . $r['date_submitted'] . '</span>';
   // MORE STUF
    echo '</div>';
}

Report

Leave an answer
Cancel reply

You must login to add an answer.

Need An Account,

1 Answer

Editorial Team · Answer 1 · 2026-06-07T09:27:05+00:00

Don’t use query, use prepare:

http://php.net/manual/de/pdo.prepare.php

$userID = $_GET['userID'];

$sql = "SELECT * FROM persons WHERE id = :userid";

$q = $conn->prepare($sql)
$q->execute(array(':userid' => $userID ));

while($r = $q->fetch(PDO::FETCH_ASSOC)){ 
    echo '<div class="mis-per">'; 
    echo '<span class="date-submitted">' . $r['date_submitted'] . '</span>'; 
   // MORE STUF 
    echo '</div>'; 
}

The SQL statement can contain zero or more named (:name) or question mark (?) parameter markers for which real values will be substituted when the statement is executed.

Sign Up

Sign In

Forgot Password

The Archive Base Latest Questions

Im trying to work with PDO for the first time and I’m just wanting

Leave an answerCancel reply

1 Answer

Leave an answer
Cancel reply