Answer the question
In order to leave comments, you need to log in
Is this code safe from SQL injection?
Interested in place after WHERE
$fields = [
"id" => "id",
"name" => "name",
"birthdate" => "birthdate",
"address" => "address",
"phone" => "phone",
"job" => "job",
];
$search = $DB->prepare("SELECT * FROM User WHERE {$fields[$_GET['field']]} LIKE :search");
Answer the question
In order to leave comments, you need to log in
As such, the code is protected from injection. At least in the forehead to transfer a piece of the request will no longer work.
However, it is necessary to check that the user passes the name of an existing field so that the code does not crash.
And you also need to make sure that the server does not automatically turn query parameters into variables, so that the user, accidentally or intentionally, does not overwrite $fields with his own array.
Although I think this is the first thing they teach when they talk about security in PHP)
Didn't find what you were looking for?
Ask your questionAsk a Question
731 491 924 answers to any question