PDO表单输入

Question

Currently I'm working with this code, it works as it is however needless to say it leaves it open to vulnerabilities any time I change $dateTo to :dateTo the query stops working any advice would be great.

    $from = $_POST['from'];
    $dateTo = $_POST['dateTo'];
    $hourTo = $_POST['hoursTo'];
    $hourFrom = $_POST['hoursFrom'];
    $minuteTo = $_POST['minutesTo'];
    $minuteFrom = $_POST['minutesFrom'];

$sql = "SELECT sum(countAudit) AS AMZL, sum(countAudit) AS OTHER, dateEntered, count(sort_id) AS Audited, sum(error) AS error, timeEntered 
FROM audits WHERE (dateEntered BETWEEN ':from' AND '$dateTo')"; 



$query = $db->prepare($sql);
$query->bindParam(':from', $from);
$query->bindParam(':dateTo', $dateTo);

    $query->execute();
foreach($db->query($sql) as $row){
    echo $row['AMZL'] . "<br>";
}

Answer 1

Use prepared statements properly, named placeholders doesn't need to be quoted.

Plus, don't directly inject variables inside the query statement:

AND '$dateTo')"; 

It defeats the purposes of prepared statements.

And don't mix up ->query() and ->execute() . Just use straight up ->execute() :

$db->setAttribute( PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION );
// turn on error reporting

$from = $_POST['from'];
$dateTo = $_POST['dateTo'];
$hourTo = $_POST['hoursTo'];
$hourFrom = $_POST['hoursFrom'];
$minuteTo = $_POST['minutesTo'];
$minuteFrom = $_POST['minutesFrom'];

$sql = "
    SELECT 
    sum(countAudit) AS AMZL, 
    dateEntered, 
    count(sort_id) AS Audited, 
    um(error) AS error, 
    timeEntered 

    FROM audits 
    WHERE (dateEntered BETWEEN :from AND :dateTo)
"; //                           ^remove quotes^ 

$query = $db->prepare($sql);
$query->bindParam(':from', $from);
$query->bindParam(':dateTo', $dateTo);
$query->execute(); // execute
$results = $query->fetchAll(PDO::FETCH_ASSOC);
// don't forget to fetch the results

foreach($results as $row){
    echo $row['AMZL'] . "<br>";
}