Home/ Questions/Q 9169961
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-06-17T15:57:03+00:00

Usually, I use PDO’s prepared statements, type casting to (int), or PDO::quote() to prevent

  • 0

Usually, I use PDO’s prepared statements, type casting to (int), or PDO::quote() to prevent SQL injection. For this application, I need to modify the date using PHP before adding it to the query. Do I need to take extra steps to prevent SQL injection, or am I safe? Thanks

$date = new DateTime($_GET['suspect_user_provided_date']);
$date->add(new DateInterval('P1D'));
$sql='SELECT * FROM table WHERE date<"'.$date->format('Y-m-d').'"';
Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    It doesn’t matter if the DateTime object is safe or not. You should escape the data you are passing to the query and not to rely on the safety of the provided library. If you change the implementation, you will not need to care if the new implementation is safe or not. You should always escape. Otherwise you will try to answer – and to remember – for each function – was it safe for SQL? for HTML? for CSV? for http / mail headers? for… don’t! The line of code that send a query should know nothing about the DateTime implementation and if it’s safe or not

    • 0