Home/ Questions/Q 7613663
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-31T02:12:32+00:00

Possible Duplicate: Best way to stop SQL Injection in PHP How do I sanitize

  • 0

Possible Duplicate:
Best way to stop SQL Injection in PHP
How do I sanitize input with PDO?

I’m pulling in an id via $_GET. I just started using PDO and I’m unsure if this is safe or not. Obviously, the code below is using $_GET to grab an id. I’m not sanitizing it at all before I place it in the query. Is this safe?

<?php
if (isset($_GET['id'])) {
$blogid = $_GET['id'];
$post = $dbh->query("SELECT id, title, slug, body, image, author, date, category from   blog WHERE id='$blogid' ORDER BY date DESC");
$row = $post->fetch(); ?>
Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    I’m not sanitizing it at all before I place it in the query

    Nope. Not safe at all. 🙂

    You either need to escape it, or use a prepared statement. With PDO, I would use a prepared statement:

    if (isset($_GET['id']) && is_string($_GET['id'])) {
    $blogid = $_GET['id'];
    $stmt = $dbh->prepare("SELECT id, title, slug, body, image, author, date, category from   blog WHERE id= :id ORDER BY date DESC");
    $stmt->execute(array('id' => $_GET['id']));
    $row = $stmt->fetch();
}
    • 0