0

I have a html file that contains a submit form ,which asks the users the fill in their personal info .

enter image description here

Then it will post and store into the DB by method of PHP SQL .

i.e.

 // Check input errors before inserting in database
if (empty($CName_err) && empty($Address_err) && empty($amount_err) && empty($Phone_err)) {
    // Prepare an insert statement
    $pdo = Database::connect();
    $pdo->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
    $sql = "INSERT INTO database (CName, Address, Phone, Amount ,Ticket, Purpose) VALUES (?, ?, ?, ? ,?, ?)";

    $q = $pdo->prepare($sql);
    $q->execute(array($CName, $Address, $Phone, $amount ,$Ticket ,$Purpose));
    Database::disconnect();

Hence, Any risks of being SQL injection attack in this case?

What should I do to improve my coding ?

Tony
  • 16,527
  • 15
  • 80
  • 134
moon
  • 9
  • 5
  • 2
    If this is working code, best ask over on [CodeReview](https://codereview.stackexchange.com/). Yay for using PDO. – Matt Clark Jul 03 '18 at 01:05
  • It looks to me like you are appropriately using parameters for values, without dynamically building a query string. That code snippet should have very little, if any, risk of SQL injection. – Travis Hegner Jul 03 '18 at 01:20
  • Are you sure this isn't a duplicate kind of question and/or that this shouldn't be on code review? https://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php?rq=1 – Robert Mennell Jul 03 '18 at 01:22
  • @TravisHegner Should I use `$pdo->prepare` learning from https://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php?rq=1 – moon Jul 03 '18 at 01:30
  • Yes, prepared statements are required for using parameterized queries. They are also good for running the same query multiple times in a loop. – Travis Hegner Jul 03 '18 at 01:38

0 Answers0