Using the quote() method to sanitize user input


show more Using the quote() method to sanitize user input provides you with in-depth training on Developer. Taught by David Powers as part of the Accessing Databases with Object-Oriented PHP show less
please wait ...

Using the quote() method to sanitize user input

With an online form, it's important to sanitize user input to protect your database against SQL injection attacks. There are two ways to do this with text input. The recommended way is to use a prepared statement, which is the subject of the next chapter. The other way is to use the PDO quote method, which wraps a value in quotes and escapes special characters. Let's take a quick look at how the quote method is used. This is pdo_quote.php, which you can find in the chapter two, 02_09 folder of the exercise files.

On line 6, a variable from the form is embedded directly in the SQL query. Although it's wrapped in quotes, this is potentially dangerous. The query uses the LIKE operator and also it's got these percentage signs as wildcard characters on either side of the search term. Because the quote method wraps the value in quotes, we need to add those percentage characters to the search term before it's passed to the quote method.

So let's create a new line on line 5, and we'...

Using the quote() method to sanitize user input
Video duration: 3m 30s 3h 47m Intermediate

Viewers:

Using the quote() method to sanitize user input provides you with in-depth training on Developer. Taught by David Powers as part of the Accessing Databases with Object-Oriented PHP

Subject:
Developer
Software:
PHP
Author:
please wait ...