Solved

Does PDO::PARAM_STR filters the input from user?

Posted on 2014-10-20
4
255 Views
Last Modified: 2014-10-20
Dear experts,

The I was using the PDO function from php with prepare statements.

I have an input string like this: 'UPDATE tbl_1 Set city = :city and id = :id';

$city = 'Mongo';
$id = 3;
I've also have my bindParam() like this: bindParam(':city', $city, PDO::PARAM_STR);
and bindParam(':id', $id, PDO::PARAM_INT);

somehow I changed the PDO::PARAM_STR into PDO::PARAM_INT for bindParam(':city', $city, PDO::PARAM_STR) and the result from $city still works. I am wondering what does the PDO::PARAM_STR or the PDO::PARAM_INT do because it is not filtering out the input for me.  Thanks.
0
Comment
Question by:Kinderly Wade
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
4 Comments
 
LVL 58

Expert Comment

by:Gary
ID: 40393258
If you pass it a string and tell it it's a number then it will know it's string and quote it anyway.
0
 
LVL 110

Accepted Solution

by:
Ray Paseur earned 500 total points
ID: 40393393
Quoted numbers do no harm.  Unquoted strings are not so good.  But PDO does not really do "quoting" like we do when we use other MySQL extensions.  And PDO does nothing to filter input - that is the programmer's responsibility.  Accept Only Known Good Values.  All PDO does is prevent bad query strings from causing the MySQL engine to bark or belch out the wrong data.

The general way to handle PDO parameterization is given in this article.  See PDO - Prepare a Query
http://www.experts-exchange.com/Programming/Languages/Scripting/PHP/A_11177-PHP-MySQL-Deprecated-as-of-PHP-5-5-0.html
0
 

Author Closing Comment

by:Kinderly Wade
ID: 40393434
Thanks Ray. You nailed the question right on the spot.
0
 
LVL 110

Expert Comment

by:Ray Paseur
ID: 40393460
Thanks for the points -- it's a very worthwhile question, ~Ray
0

Featured Post

SharePoint Admin?

Enable Your Employees To Focus On The Core With Intuitive Onscreen Guidance That is With You At The Moment of Need.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Build an array called $myWeek which will hold the array elements Today, Yesterday and then builds up the rest of the week by the name of the day going back 1 week.   (CODE) (CODE) Then you just need to pass your date to the function. If i…
Originally, this post was published on Monitis Blog, you can check it here . In business circles, we sometimes hear that today is the “age of the customer.” And so it is. Thanks to the enormous advances over the past few years in consumer techno…
The viewer will learn how to create and use a small PHP class to apply a watermark to an image. This video shows the viewer the setup for the PHP watermark as well as important coding language. Continue to Part 2 to learn the core code used in creat…
This tutorial will teach you the core code needed to finalize the addition of a watermark to your image. The viewer will use a small PHP class to learn and create a watermark.

626 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question