This is my PDO method i used this method to save input value to SQL After reading this pdo-prepared-statements-sufficient-to-prevent-sql-injection Since Am started learning PHP i don't know this will protect form SQL injection
CODE
<?php
$servername = "localhost";
$username = "sanoj";
$password = "123456";
$dbname = "localtest";
try {
$conn = new PDO("mysql:host=$servername;dbname=$dbname", $username, $password);
// set the PDO error mode to exception
$conn->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
// prepare sql and bind parameters
$stmt = $conn->prepare("INSERT INTO filter (firstname, lastname, email)
VALUES (:firstname, :lastname, :email)");
$stmt->bindParam(':firstname', $firstname);
$stmt->bindParam(':lastname', $lastname);
$stmt->bindParam(':email', $email);
// insert a row
$firstname = filter_input(INPUT_POST, 'name', FILTER_SANITIZE_STRING, FILTER_FLAG_ENCODE_AMP);
$lastname = filter_input(INPUT_POST, 'lname', FILTER_SANITIZE_STRING, FILTER_FLAG_ENCODE_AMP);
$email = filter_input(INPUT_POST, 'email', FILTER_SANITIZE_STRING, FILTER_FLAG_ENCODE_AMP);
$stmt->execute();
echo "New records created successfully";
} catch (PDOException $e) {
echo "Error: " . $e->getMessage();
}
$conn = null;
?>
Can some one help me will this protect from SQL injection
Aucun commentaire:
Enregistrer un commentaire