Fix PDO not using input filtering in example

Somehow, this pull request (codeguy#26) went missing in the move to `gh-pages`. But it's fairly critical, since the example has `$_GET` being passed straight into a `PDO` statement. On a write (`INSERT` or `UPDATE`), this can still result in dangerous data (to the app, not to SQL) being written accidentally by a new PHP developer. Data should always be filtered prior to use.
AshrafHefny · Jan 5, 2015 · 3b393c2 · 3b393c2
1 parent 4d01642
commit 3b393c2
Showing 1 changed file with 4 additions and 1 deletion.
diff --git a/_posts/07-03-01-Databases_PDO.md b/_posts/07-03-01-Databases_PDO.md
@@ -50,13 +50,16 @@ FROM users` which will delete all of your users! Instead, you should sanitize th
 <?php
 $pdo = new PDO('sqlite:/path/db/users.db');
 $stmt = $pdo->prepare('SELECT name FROM users WHERE id = :id');
-$stmt->bindParam(':id', $_GET['id'], PDO::PARAM_INT); // <-- Automatically sanitized by PDO
+$id = filter_input(FILTER_GET, 'id', FILTER_SANITIZE_NUMBER_INT); // <-- filter your data first (see [Data Filtering](#data_filtering)), especially important for INSERT, UPDATE, etc.
+$stmt->bindParam(':id', $id, PDO::PARAM_INT); // <-- Automatically sanitized for SQL by PDO
 $stmt->execute();
 {% endhighlight %}
 
 This is correct code. It uses a bound parameter on a PDO statement. This escapes the foreign input ID before it is
 introduced to the database preventing potential SQL injection attacks.
 
+For writes, such as INSERT or UPDATE, it's especially critical to still [filter your data](#data_filtering) first and sanitize it for other things (removal of HTML tags, JavaScript, etc).  PDO will only sanitize it for SQL, not for your application.
+
 * [Learn about PDO]
 
 You should also be aware that database connections use up resources and it was not unheard-of to have resources