I'm developing an application with PDO, and I usually use bindValue()
to run SELECT
's, but I'm developing an application that gets a variable that contains commas and numbers, which will be exploded later.
What I wanted to know is: This way it is safe to avoid attacks, otherwise, how would these attacks be carried out?
$categories = '10,12,22,123,120'; # ESSES SÃO OS ID'S DAS CATEGORIAS DESEJADAS
$category = explode(',', $categories);
for ($i = 0; $i < count($category); $i++) {
if (is_numeric($category[$i]) {
$this->condition .= "categoryName = '{$category[$i]}'";
if ($i < count($category) - 1) {
$this->condition .= ' AND ';
}
}
}