how to avoid sql injection with sql constants
Question
I made it to where my constant is accepting input from users in sql but my value(1) is hard-coded ,i tried to use bindValue to protect this but bindValue doesnt work for constant , can this be hacked and explain how this could be done
$type = $_POST['type'] ;
$update = $conn->prepare("UDPATE book SET $type = 1") ;
$update->execute() ;
1 answers
solution1
0 2018-05-28 14:01:07
You need to use Prepared Statements, please look at bindParam. Also, have an array of columns that the user is allowed to edit.
$editable_columns = ['author', 'price'];
$type = $_POST['type'] ;
if(!in_array($type, $editable_columns)) exit("you are not allowed to edit this column");
$update = $conn->prepare("UDPATE book SET :type = 1") ;
$update->bindParam(':type', $type);
$update->execute() ;
more examples here: http://php.net/manual/en/pdo.prepared-statements.php
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.
Related Question
How to validate integer values to avoid SQL injection?
Avoid sql injection in yii2
How to sanitize data in php in order to avoid SQL injection?
How to avoid SQL injection and XSS attacks when in PHP?
A way of globalising the mysql function to avoid sql injection
The safest way to avoid SQL injection in PHP?
Transforming mysql query to prepare to avoid sql injection
Avoid SQL injection in registration form php
SQL Injection: trying to avoid it but got an error
How to avoid SQL Injection in SQL query with Like % Operator. only php mysql
Related Tags