我的PDO INSERT INTO是否足够安全？

Question

I would like your opinion about my code. Is it secure enough against any injections. Thanks for your replies.

class Product extends DB {

  public function __construct() {
    $db = $this->DB();

    if(isset($_POST['productName'])) {
        foreach ($_POST as $key => $value) {
            if (ini_get('magic_quotes_gpc'))
                $_POST[$key] = stripslashes($_POST[$key]);
                $_POST[$key] = htmlspecialchars(strip_tags($_POST[$key]));
        }
        $this->AddProduct();
    }
  }

  public function AddProduct() {
    $sSQL = "INSERT INTO ".PREFIX."product (productName, productPrice) 
                VALUES (:productName,:productPrice)";
    $query = $this->db->prepare($sSQL);
    $query->execute(array(
        ":productName" => $_POST['productName'],
        ":productPrice" => $_POST['productPrice']
    )); 
  }
}

Answer 1

Using query parameters is enough to make it secure against SQL injection vulnerability.

The code that calls htmlspecialchars and strip_tags is not relevant to SQL injection. It might be called for to prevent Cross-Site Scripting vulnerabilities, but that's a separate issue. I don't recommend doing those steps as you insert data into the database. Just filter against XSS vulnerabilities when you output to HTML. Otherwise, you get literal & sequences stored in your database, and that's premature. You aren't necessarily going to use the data to display in HTML every time. Just encode it when you output, not when you input.

I never bother with compensating for the possible magic_quotes_gpc. Test for it when you deploy your app, and abort the deployment. It's not valid for any PHP instance to set magic_quotes_gpc in 2014.