php - Is $_SESSION safe from sql injects? -

-

i use pdo access mysql database, , want use in. sadly don't seam work prepare, wrote function

function is_numeric_array($array){     if(!is_array($array))         return is_numeric($array);      if(is_array($array))         foreach($array $int)             if(!is_numeric($int))                 return false;     return true; }

then used this

    if(!is_numeric_array($_session['story'])){         die("error, array contains non-integers");     }      $query = "(";     for($i = 0; $i<count($_session['story']); $i++)         $query .= $_session['story'][$i].(count($_session['story'])-1 != $i ? "," : "");     $query .= ")";      //collect data needed     $stories = openconnection() -> query("select * `stories` `id` in {$query}") -> fetchall();

i know it, looks ugly. don't want sql injects.

you don't have test input being numeric, because in mysql, string e.g. '123abc' in numeric context (like being compared integer column id) implicitly takes digits , ignores rest. non-numeric string 'abc' has integer value 0 because there no leading digits.

the point is, values safe sql injection if use query parameters. whether inputs come $_session or source irrelevant. $_session neither safe or unsafe respect sql injection, it's how pass data query matters.

i simplify code format list of parameter placeholders:

$placeholders = implode(',', array_fill(1, count((array)$_session['story']), '?'));

and forget bindparam(), pass array execute().

//collect data needed $storyquery = openconnection() -> prepare("select * `stories`      `id` in ({$placeholders})"); $storyquery -> execute((array)$_session['story']); $story = $storyquery -> fetchall();

re comment:

in pdo, can use either named parameters :id, or can use positional parameters, ? (but don't mix these 2 types in given query, use 1 or other).

passing array execute() automatically binds array elements parameters. simple array (i.e. indexed integers) easy bind positional parameters.

if use named parameters, must pass associative array keys of array match parameter names. array keys may optionally prefixed : it's not required.

if you're new pdo, pays read documentation. there code examples , everything!


Comments

Post a Comment

Popular posts from this blog

c++ - OpenCV Error: Assertion failed <scn == 3 ::scn == 4> in unknown function, -

-
i read alot other solution still confused should mine... #include <opencv2/objdetect/objdetect.hpp> #include <opencv2/highgui/highgui.hpp> #include <opencv2/imgproc/imgproc.hpp> #include <iostream> #include <stdio.h> using namespace std; using namespace cv; int main(int argc, const char** argv) { //create cascade classifier object used face detection cascadeclassifier face_cascade; //use haarcascade_frontalface_alt.xml library face_cascade.load("haarcascade_frontalface_alt.xml"); //setup video capture device , link first capture device videocapture capturedevice; capturedevice.open(0); //setup image files used in capture process mat captureframe; mat grayscaleframe; //create window present results namedwindow("outputcapture", 1); //create loop capture , find faces while (true) { //capture new image frame capturedevice >> captureframe; ...
Read more

php - render data via PDO::FETCH_FUNC vs loop -

-
i've been using 2 methods render data. the first one: function name($id,$name){ return '<div id="'.$id.'">'.$name.'</div>'; } echo implode($pdo->query("select id,name user")->fetchall(pdo::fetch_func,'name')); the second one: $users = $pdo->query("select id,name user")->fetchall(pdo::fetch_obj); foreach($users $user){ echo name($user->id,$user->name); } i don't understand how pdo::fetch_func works. tried figure out. however, not well-documented. could please explain fetch mode? , also, 1 performs better? thank you. both methods wrong , have learn how use templates , how separate business logic presentation logic. $users = $pdo->query("select id,name user")->fetchall(pdo::fetch_obj); tpl::assign('users', $users); is code business logic part. then in template <?php foreach $users $row): ?> <div id="<?=$...
Read more

The canvas has been tainted by cross-origin data in chrome only -

-
uncaught securityerror: failed execute 'getimagedata' on 'canvasrenderingcontext2d': canvas has been tainted cross-origin data i getting above error in chrome. code(following) works fine in mozilla. have not corss domain issue. why above error in chrome? var wheel_canvas, wheel_context, can_w, can_h, wheel_grd; var large_radius = 160; var small_radius = 120; var wheel_canvas = document.getelementbyid('wheel_canvas'); var wheel_context = wheel_canvas.getcontext('2d'); var can_w = $(wheel_canvas).width(); var can_h = $(wheel_canvas).height(); var centerx = can_w / 2, centery = can_h / 2; var wheel_grd = null; test('#ff0000'); function test(hex) { $('#clrpicker').css({'left': 210, 'top': 210 }); inverted = hexbw(hex); $('#color_val_show').val(hex); current_color_hex_val_selected = hex; $('#color_val_show').css({'color':inverted,'background':hex}); fillgradient...
Read more