Categories

JavaScriptPHPHTMLCssPythonWordPressWeb developmentLinuxMySQLAndroidWindowsJavaC++ / C#LayoutReactUbuntuYiiDjangoProgramming1C-BitrixLaravelSystem administrationTelegramJSONDebianPostgreSQLIOSGoogleHtaccessWindows ServerGitMacOSGoogle ChromeCMSWooСommerceBootstrapNginxSQLUnityAPI
Make a leaderReport
M
M
MdaUZH2016-01-26 12:06:01
PHP
MdaUZH, 2016-01-26 12:06:01

Prepare statement for search?

Hello.
I'm doing a search, and I thought if I'm doing it right, in terms of protection against sql injections.
I make a request like this:

SELECT r.*, u.nickname AS 'u_name', t.taste, t.recept_id 
FROM recept AS r 
LEFT JOIN users AS u ON u.id = r.user_id 
LEFT JOIN tastes AS t ON t.recept_id = r.id 
WHERE r.name LIKE '%ppl%' AND t.taste LIKE '%дк%'

"ppl" and "dk" -> came from the user via _GET .
Moreover, there is no parameter bind or any real protection ..
The question itself is, is protection actually needed here?
What can I do if I leave such a request?
Thanks

Reply
Answer the question

Answer the question

In order to leave comments, you need to log in

2 answer(s)
Report
D
dimabdc, 2016-01-26
@dimabdc

User input can never be trusted!
Read https://habrahabr.ru/post/148151/

Report
R
res2001, 2016-01-27
@res2001

Definitely Prepare statements for search!

Similar questions
M
MrFreeman2014-05-22 10:27:02
Where did the events from habrahabr go? 6Reply
S
Sergey Kulandin2015-04-20 12:45:33
Is crossfire radeon 7850+7870 stable? 3Reply
A
Andrei1penguin12021-04-01 00:37:45
Why don't losses decrease? 3Reply
T
thehighhomie2018-11-30 12:28:13
Plugin to generate PDF from JavaScript? 4Reply
H
HAtan2020-09-30 15:30:27
How to process a click and record it? 2Reply

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question