Home/ Questions/Q 9192003
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-06-17T20:49:24+00:00

Possible Duplicate: How to prevent SQL injection in PHP? I have this code $where

  • 0

Possible Duplicate:
How to prevent SQL injection in PHP?

I have this code 

$where = '';
if (isset($_POST['lvl']) && $vals = $_POST['lvl']) {
    $where = 'WHERE ';
$first = false;
if ($vals[0] === '0') {
    $where .= 'team = "neutral"';
    unset($vals[0]);
    $first = true;
}
if (count($vals)) {
    if ($first) $where .= ' OR ';
    $where .= 'lvl IN (\'' . implode('\',\'', $vals) . '\')';
}}
    $sql = "SELECT * FROM $table $where";
$res = $DBH->prepare($sql);
$res->execute();
$num = $res->rowCount();
echo "<h2>".$num."</h2>";

It works, but if someone did something, then this happens. How to fix this?

UPD: added PDO code

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    You need to use PDO::quote() for all string values.
    Also you should never select all the records when you need only to count them. Ask a database to do it for you

    $where = '';
if (!empty($_POST['lvl'])) {
    $vals = $_POST['lvl'];
    $where = 'WHERE ';
    if ($vals[0] === '0') {
        $where .= "team = 'neutral'";
        unset($vals[0]);
        if ($vals) {
            $where .= " OR ";
        }
    }
    if ($vals) {
        foreach ($vals as $i => $val) {
           $vals[$i] = $DBH->quote($val);
        }
        $where .= "lvl IN (".implode(',', $vals).")";
    }
}
$sql = "SELECT count(*) as cnt FROM $table $where";
$res = $DBH->query($sql);
$res->execute();
$row = $res->fetch();
echo "<h2>".$row['num']."</h2>";

    By the way, with my own class the code would be slightly less complex, because it makes manual escaping unnecessary (it is using mysqli, not PDO though). 

    $where = '';
if (!empty($_POST['lvl'])) {
    $vals = $_POST['lvl'];
    $where = 'WHERE ';
    if ($vals[0] === '0') {
        $where .= "team = 'neutral'";
        unset($vals[0]);
        if ($vals) {
            $where .= " OR ";
        }
    }
    if ($vals) {
        $where .= $db->parse("lvl IN (?a)",$vals);
    }
}
$num = $db->getOne("SELECT count(*) as cnt FROM ?n ?p",$table, $where);
echo "<h2>".$num."</h2>";
    • 0