Categories

JavaScriptPHPHTMLCssPythonWordPressWeb developmentLinuxMySQLAndroidWindowsJavaC++ / C#LayoutReactUbuntuYiiDjangoProgramming1C-BitrixLaravelSystem administrationTelegramJSONDebianPostgreSQLIOSGoogleHtaccessWindows ServerGitMacOSGoogle ChromeCMSWooСommerceBootstrapNginxSQLUnityAPI
Make a leaderReport
M
M
MdaUZH2016-01-26 12:06:01
PHP
MdaUZH, 2016-01-26 12:06:01

Prepare statement for search?

Hello.
I'm doing a search, and I thought if I'm doing it right, in terms of protection against sql injections.
I make a request like this:

SELECT r.*, u.nickname AS 'u_name', t.taste, t.recept_id 
FROM recept AS r 
LEFT JOIN users AS u ON u.id = r.user_id 
LEFT JOIN tastes AS t ON t.recept_id = r.id 
WHERE r.name LIKE '%ppl%' AND t.taste LIKE '%дк%'

"ppl" and "dk" -> came from the user via _GET .
Moreover, there is no parameter bind or any real protection ..
The question itself is, is protection actually needed here?
What can I do if I leave such a request?
Thanks

Reply
Answer the question

Answer the question

In order to leave comments, you need to log in

2 answer(s)
Report
D
dimabdc, 2016-01-26
@dimabdc

User input can never be trusted!
Read https://habrahabr.ru/post/148151/

Report
R
res2001, 2016-01-27
@res2001

Definitely Prepare statements for search!

Similar questions
N
Nikolai Ignatiev2015-07-30 16:17:27
How to start developing an Information System? 8Reply
M
Michael Treser2015-08-05 12:18:26
How to resolve conflict between jquery ui sortable and jquery custom content scroller? 4Reply
E
Evgeny Ivanov2019-12-24 12:26:11
How to properly split video using ffmpeg? 1Reply
A
airbor2019-12-26 12:33:08
How to make Xiaomi Vacuum 2 – Roborock S5 Robot Vacuum Cleaner friends with the Mainland China region? 3Reply
O
onefinal2015-08-24 02:03:29
Eth0 eth1 why is the internet disappearing? 3Reply

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question