DEV Community

loading...

Discussion on: Add google-like search query to your website or Database

Collapse
andreasvirkus profile image
ajv

That's great! But do not do this in production đŸ˜¬
You should always sanitize the user input and never ever use a query param in your SQL, as that's injection 101.

Collapse
trinly01 profile image
Trinmar Boado Author • Edited

What is not safe on the code?
the $_GET['regex'] was bound thru $stmt->execute()

There's no difference in safety between passing all the parameters as an array to execute, or using bindParam or bindValue.

Tried this simple injection and it doesn't work
api.php?regex='or''='