PHP security - avoid SQL Injection [duplicate]

Navigation
1

It's wrong or unsafe to use: 

if ($_SERVER['REQUEST_METHOD'] === 'POST') {

        foreach ($_POST as $key => $value) $$key = $value;
   ...
}

Let's say I have this code, but use a procedure call with prepare in the variables. Do I have any risk of attack by Sql Injection ?

Being a little more specific, my problem is:

  

foreach ($ _POST as $ key = > $ value) $$ key = $ value;

I have an analysis and security report on my system saying that this is a serious failure of SQL Injection. Even though I'm using PDO and prepare after that !

    
asked by anonymous 12.04.2017 / 15:59

1 answer

0

Yes, your method is susceptible to sql injection.

First switch from php to brute force to go to a Zend Framework type framework or the simpler ones like Codeigniter this way you care more about what your code should do than how security should be done. Well if you want to do everything for the native I would opt for the method filter_input (INPUT_POST, its_variable) which is very more secure than $ _post ['variable'] or that its method after all it already checks if it exists and makes some filters for you as well as you can add options making it very useful, for more information look at the

12.04.2017 / 16:19
PL / PGSQL function Postgresql What's wrong with Java? [closed]