L
L
LamerFromSpace2019-07-07 01:07:56
PHP
LamerFromSpace, 2019-07-07 01:07:56

Is this code safe from SQL injection?

Interested in place after WHERE

$fields = [
        "id" => "id",
        "name" => "name",
        "birthdate" => "birthdate",
        "address" => "address",
        "phone" => "phone",
        "job" => "job",
    ];
    $search = $DB->prepare("SELECT * FROM User WHERE {$fields[$_GET['field']]}  LIKE :search");

Maybe there is a smarter way to do it? It's some crutch

Answer the question

In order to leave comments, you need to log in

1 answer(s)
I
Ivan Koryukov, 2019-07-07
@LamerFromSpace

As such, the code is protected from injection. At least in the forehead to transfer a piece of the request will no longer work.
However, it is necessary to check that the user passes the name of an existing field so that the code does not crash.
And you also need to make sure that the server does not automatically turn query parameters into variables, so that the user, accidentally or intentionally, does not overwrite $fields with his own array.
Although I think this is the first thing they teach when they talk about security in PHP)

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question