Welcome to the Treehouse Community
The Treehouse Community is a meeting place for developers, designers, and programmers of all backgrounds and skill levels to get support. Collaborate here on code errors or bugs that you need feedback on, or asking for an extra set of eyes on your latest project. Join thousands of Treehouse students and alumni in the community today. (Note: Only Treehouse students can comment or ask questions, but non-students are welcome to browse our conversations.)
Looking to learn something new?
Treehouse offers a seven day free trial for new students. Get access to thousands of hours of content and a supportive community. Start your free trial today.
Evan Shellborn
4,827 PointsWhy does this filter input?
Is the prepare method here designed to filter input? If you pass in something like "101; DROP TABLE products", what will happen? I'm a bit confused about what's going on here.
Here's the code again:
$results = $db->prepare('SELECT name, price, img, sku, paypal FROM products WHERE sku = ?');
$results->bindParam(1,$sku);
$results->execute();
1 Answer
Zachary Green
16,359 PointsIt will escape any dangerous chars. Prepare will also quote your string to fight SQL injection. So now that statement is rendered safe. Later on you should check to see if SKU is int or string add another layer of protection.
Evan Shellborn
4,827 PointsEvan Shellborn
4,827 PointsOk, thanks. How exactly does that work, though?
Zachary Green
16,359 PointsZachary Green
16,359 PointsThis might help you out http://stackoverflow.com/questions/4042843/in-php-how-does-pdo-protect-from-sql-injections-how-do-prepared-statements-wor
Evan Shellborn
4,827 PointsEvan Shellborn
4,827 PointsCool, thanks