Anything else I can do to protect against sql injection?

Comments welcome

[php]
//removes “submit” from $_POST
$slice = (array_slice($_POST,0,13));

foreach ($slice as $key => &$value){

$fltr1 = filter_var($value,FILTER_SANITIZE_STRING);
$fltr2 = filter_var($fltr1,FILTER_SANITIZE_SPECIAL_CHARS);
$fltr3 = htmlspecialchars($fltr2);
$trm = trim($fltr3);
$strp = strip_tags($trm);
$new_array[$key] = $strp;

}
//var_dump($new_array);

//var_dump(PDO::getAvailableDrivers());
/* Connect to an ODBC database using driver invocation */
$dsn = ‘mysql:dbname=used_cars;host=localhost’;
$user = ‘root’;
$password = ‘superstearman2’;

try {
$dbh = new PDO($dsn, $user, $password);
$dbh->setAttribute(PDO::ATTR_ERRMODE,PDO::ERRMODE_EXCEPTION);
$dbh->setAttribute(PDO::ATTR_EMULATE_PREPARES,false);
} catch (PDOException $e) {
echo 'Connection failed: ’ . $e->getMessage();
}

$stmt = $dbh->prepare(‘UPDATE cars SET year=:year, make=:make, body_style=:body_style, engine=:engine, trans=:trans,
drivetrain=:drivetrain, ext_color=:ext_color, int_color=:int_color, mileage=:mileage, vin=:vin, price=:price, sold=:sold
WHERE id=:id’);

foreach ($new_array as $key => $strp){
$stmt->bindValue(’:’.$key,$strp,PDO::PARAM_STR);

}

//$stmt->execute();
$count = $stmt->execute();
$dbh = null;
//
//// If the query is succesfully performed ($count not false)
if($count !== false) echo 'Affected rows : '. $count; // Shows the number of affected rows
[/php]

it looks good to me i would have used htmlentities instead

Sponsor our Newsletter | Privacy Policy | Terms of Service