Skip to main content
Code Review

Return to Answer

replaced http://stackoverflow.com/ with https://stackoverflow.com/
Source Link

I would like to add to @tim's answer with:

  1. make a validation function that check your $_GET['pname'] parameter, this way its isolated and you can return the error early if the validation fails without hitting the DB

  2. as tim mentioned escaping string is useless because you are using PDO, prepare statements already quotes the parameter for you. As an alternative if you need to quote again (but your input might be wonky in storage would be to use PDO::quote() as found in the solution: http://stackoverflow.com/questions/3716373/real-escape-string-and-pdo https://stackoverflow.com/questions/3716373/real-escape-string-and-pdo

I would like to add to @tim's answer with:

  1. make a validation function that check your $_GET['pname'] parameter, this way its isolated and you can return the error early if the validation fails without hitting the DB

  2. as tim mentioned escaping string is useless because you are using PDO, prepare statements already quotes the parameter for you. As an alternative if you need to quote again (but your input might be wonky in storage would be to use PDO::quote() as found in the solution: http://stackoverflow.com/questions/3716373/real-escape-string-and-pdo

I would like to add to @tim's answer with:

  1. make a validation function that check your $_GET['pname'] parameter, this way its isolated and you can return the error early if the validation fails without hitting the DB

  2. as tim mentioned escaping string is useless because you are using PDO, prepare statements already quotes the parameter for you. As an alternative if you need to quote again (but your input might be wonky in storage would be to use PDO::quote() as found in the solution: https://stackoverflow.com/questions/3716373/real-escape-string-and-pdo

Source Link
azngunit81
  • 1.2k
  • 1
  • 12
  • 19

I would like to add to @tim's answer with:

  1. make a validation function that check your $_GET['pname'] parameter, this way its isolated and you can return the error early if the validation fails without hitting the DB

  2. as tim mentioned escaping string is useless because you are using PDO, prepare statements already quotes the parameter for you. As an alternative if you need to quote again (but your input might be wonky in storage would be to use PDO::quote() as found in the solution: http://stackoverflow.com/questions/3716373/real-escape-string-and-pdo

default

AltStyle によって変換されたページ (->オリジナル) /