Sign Up to our social questions and Answers Engine to ask questions, answer people’s questions, and connect with other people.
Login to our social questions & Answers Engine to ask questions answer people’s questions & connect with other people.
Lost your password? Please enter your email address. You will receive a link and will create a new password via email.
Please briefly explain why you feel this question should be reported.
Please briefly explain why you feel this answer should be reported.
Please briefly explain why you feel this user should be reported.
Is it secure to call __construct() in login or sign up class this way:
function __construct(PDO $DBH, $_POST['1'], $_POST['2'])
{
$this->_user=$_POST['1'];
$this->_pass=$_POST['2'];
$this->_DBH=$DBH;
}
I want to sanitize user input later inside this class and I’m not sure would my code be ripe for SQL injection or XSS because of class costructed with raw POST input?
If you know you sanitize/use prepared statements (i.e. the raw POST data is not inserted as is to the query), it’s fine to do so.
In fact, if you use prepared statements, you don’t need to sanitize your input at all (for SQL, if you’re going to display the data as HTML, it still needs to be sanitized as such).