Is this code safe from SQL injection?

L

LamerFromSpace2019-07-07 01:07:56

PHP

LamerFromSpace, 2019-07-07 01:07:56

Interested in place after WHERE

$fields = [
        "id" => "id",
        "name" => "name",
        "birthdate" => "birthdate",
        "address" => "address",
        "phone" => "phone",
        "job" => "job",
    ];
    $search = $DB->prepare("SELECT * FROM User WHERE {$fields[$_GET['field']]}  LIKE :search");

Maybe there is a smarter way to do it? It's some crutch

Reply

Answer the question

In order to leave comments, you need to log in

1 answer(s)

I

Ivan Koryukov, 2019-07-07
@LamerFromSpace

As such, the code is protected from injection. At least in the forehead to transfer a piece of the request will no longer work.
However, it is necessary to check that the user passes the name of an existing field so that the code does not crash.
And you also need to make sure that the server does not automatically turn query parameters into variables, so that the user, accidentally or intentionally, does not overwrite $fields with his own array.
Although I think this is the first thing they teach when they talk about security in PHP)