Anything else I can do to protect against sql injection?

Comments welcome

//removes “submit” from $_POST
$slice = (array_slice($_POST,0,13));

foreach ($slice as $key => &$value){

$fltr1 = filter_var($value,FILTER_SANITIZE_STRING);
$fltr2 = filter_var($fltr1,FILTER_SANITIZE_SPECIAL_CHARS);
$fltr3 = htmlspecialchars($fltr2);
$trm = trim($fltr3);
$strp = strip_tags($trm);
$new_array[$key] = $strp;


/* Connect to an ODBC database using driver invocation */
$dsn = ‘mysql:dbname=used_cars;host=localhost’;
$user = ‘root’;
$password = ‘superstearman2’;

try {
$dbh = new PDO($dsn, $user, $password);
} catch (PDOException $e) {
echo 'Connection failed: ’ . $e->getMessage();

$stmt = $dbh->prepare(‘UPDATE cars SET year=:year, make=:make, body_style=:body_style, engine=:engine, trans=:trans,
drivetrain=:drivetrain, ext_color=:ext_color, int_color=:int_color, mileage=:mileage, vin=:vin, price=:price, sold=:sold
WHERE id=:id’);

foreach ($new_array as $key => $strp){


$count = $stmt->execute();
$dbh = null;
//// If the query is succesfully performed ($count not false)
if($count !== false) echo 'Affected rows : '. $count; // Shows the number of affected rows

it looks good to me i would have used htmlentities instead

Sponsor our Newsletter | Privacy Policy | Terms of Service