So I have a UTF8MB4 database on phpMyAdmin for MySQL, and I'm using PDO in PHP for interacting with my database, and I really want to know, just to be 100% sure that the 'bindValue' function really escapes data, I've heard that the SQL Query and the data is sent differently but I want to know if it's true, is there any way 'bindValue' can be bypassed where SQL injection can occur?
Example Code:
$db = new PDO(...);
//Notice how I'm not sanitizing $_GET, is this okay?
$query = $db->prepare("SELECT * FROM table WHERE Username = :username");
$query->bindValue(":username", $_GET["username"]);
$query->execute();
echo "Rows: " . $query->rowCount();
while($row = ...) {
echo $row["Username"];
}
No comments:
Post a Comment