HiveBrain v1.2.0
Get Started
← Back to all entries
patternphpMinor

POST security with PDO?

Submitted by: @import:stackexchange-codereview··
0
Viewed 0 times
withpostsecuritypdo

Problem

So I have some code that works as PDO. But is it secure? I'm trying to prevent SQL injection. This is my first PDO script and was hoping to see if it was done correctly. Here it is.

getMessage();
 }

$code = $_POST['email'];

$DATA = $con->prepare("INSERT INTO users (code) VALUES (:code)");
$DATA->bindValue(':code', $code);
$DATA->execute();
?>

Solution

It depends on what you're looking to be safe.

If you're worried about the bobby tables case, you're fine. However, there are many risks that come with user input cases.

For such a simple script, little can go wrong. However, below is only one concern that can happen (however it is probably you're most threatening):
Cross-site Scripting (XSS)

Cross-Site Scripting (XSS) attacks are a type of injection, in which
malicious scripts are injected into otherwise benign and trusted web
sites. XSS attacks occur when an attacker uses a web application to
send malicious code, generally in the form of a browser side script,
to a different end user. The end user’s browser has no way to know
that the script should not be trusted, and will execute the script.
Because it thinks the script came from a trusted source, the malicious
script can access any cookies, session tokens, or other sensitive
information retained by the browser and used with that site. These
scripts can even rewrite the content of the HTML page. (OWASP)

Basically, without validating what comes out of your data source, someone could input something nasty, and therefore giving anyone else who sees that data something nasty.

So to best protect yourself, sanitize any output from the data source and know the various attacks. Here's a good read on SO.

Also, it'd be great if you could format your code so it's more consistent and readable. Such as giving appropriate spacing around operators, correct indentations, and simply better variable names (why shorten $dbname, why CAPS $DATA?).

Context

StackExchange Code Review Q#54988, answer score: 4

Revisions (0)

No revisions yet.