Check out Scrivo

Do you want to try out Scrivo? Then here's a demo for you that does not just get your feet wet but lets you plunge right in.

Contact us

For more information, please contact us. We're happy to help you out!

Next Sep 5

Item 547173

When maintaining some software of bogus inc. you come across these lines of code:

query(
    "SELECT * FROM USER WHERE USERCODE = '{$_GET["uname"]}'");
....
?>


[/code]


What is do you think?


A: All right! This code is using PDO, we're save and sound here!

B: Why on earth didn't they use prepared statements.

C: There's a possibility for SQL injection here. I'd better use PDO::qoute to escape input.

D: I'm so excited I'll be visiting Amsterdam next summer!

E: They should have used the mysql_xxx functions here because these are compiled into PHP.


Answer
This code is definitely not all right but just plain wrong. Despite using PDO this code is very vulnerable to SQL injection. Just using PDO won't help you here. You could use PDO::qoute to fix it but in this case there is no good reason to use this method of query construction. This code should have used a prepared statement for it's faster in execution, more maintainable, easier to read and safeguards you against SQL injection.


The mysql_xxx functions are being phased out. Although still very common in older code they are no part of the PHP core since version 5 and will be deprecated in version 5.5. PDO is the preferred way to access a database in PHP now. That said, note that you could use the (improved) msqli_xxx functions to create correct code using prepared statements too.


This leaves B as the right answer. Unless, of course, you already fixed it at first glance, then the correct answer is D: you deserve the break, happy holidays!