I’ve been looking into the most efficient method of cleaning user input. My application is a simple post request that is used to authenticate a user. Looking online I can find more then a dozen different “best” methods of doing this. A lot of these methods use deprecated php functions or seem overly complicated. In order to connect to my sql database I use the PDO class.
While searching for my own functions I stumbled accross this:
Prepared statements with bound parameters are not only more portable, more convenient, immune to SQL injection, but are often much faster to execute than interpolated queries, as both the server and client side can cache a compiled form of the query.
I already use the prepare method to create my statement. Does this mean I’m safe against SQL injection attacks? What else should I be worried about?
If you bind ALL user data via prepared statements with PDO you should be safe from injection. Any variables you put into your SQL statement (like sort order) that you do not bind, is an open vector for attack.