I would like to know if it is safe to search the database like this:
$c = $conn->prepare("SELECT * FROM tb WHERE coisa = :post");
$c->bindValue(':post', $_POST['login']);
$c->execute();
var_dump($c->fetch());
Is it safe for me to do this, or do I have to validate before? To avoid any kind of attack?
About SQL Injection
Preliminary defenses:
The use of Prepared Statements with variable bindings (parameterized queries) is how all developers should be taught to write queries to the database. They are simple to write, and easier to understand than dynamic queries. Parameterized queries force the developer to first define all the SQL code, and then pass on each parameter to the query later. This style of encoding allows the database to distinguish code and data, regardless of what the user input is provided. Prepared Statements ensure that an attacker is not able to change the intent of a query, even if SQL commands are inserted by an attacker. In the example, if an attacker tries to enter the "userID" of tom "or" 1, the parameterized query 1 '=' would not be vulnerable and instead look up a user name that literally accompanied the whole tone string 'or' 1 '= '1.
Specific recommendations for each language:
There are other ways / complements to prevent SQL Injection, Prepared Statements is a major one. I saw that you are interested in knowing about other vulnerabilities, there are also other variants of SQL attack like blind sql injection. I do not know if you know, but there is a community organization that focuses on security, especially on the web and they make a top 10 of the major web vulnerabilities, other than having several other content related to security, even back to PHP.
Complementing: In addition, validate your application's inputs and outputs, leaving the use of required characters.
Reinforcement to you know this site, mainly to learn about the other ways to prevent a SQL attack, content was taken from the.
Yes, using bindValue already prevents SQL Injection attempts.