PHP PDO - prevent sql injection problem


#1

I know this has probably been discussed a lot, but I still cannot figure it out on my own. I am trying to run a PDO to prevent sql injections. Any assitance would be very welcome as I am stumped and have been working on this for a couple days now. I have to give up and ask for help! As of now, the page displays the job links with no errors, but I cannot click on the links. The page keeps going back to the original page with the job listing links. My old code didn’t include PDO and was just the old school way of connecting to a database, so I can confirm the issue isn’t with the page that links to this page.

$conn = new PDO('mysql:host=xxxx;dbname=xxxx', 'xxxx', 'xxxx');
// set the PDO error mode to exception
$conn->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
// Leave column names as returned by the database driver
$conn->setAttribute(PDO::ATTR_CASE, PDO::CASE_NATURAL);
// Convert Empty string to NULL
$conn->setAttribute(PDO::ATTR_ORACLE_NULLS, PDO::NULL_EMPTY_STRING);   

$SQL = “SELECT *
FROM careerapplicationpost,careerapplicationjobdescription
WHERE careerapplicationpost.CareerApplicationPostID = ‘?’
AND careerapplicationjobdescription.JobDescriptionTitle = ‘?’”;

$sth = $conn->prepare($SQL);
// binding parameters
$sth->bindParam(’:careerId’, $_GET[‘CareerID’], PDO::PARAM_INT, 100);
$sth->bindParam(’:title’, $_GET[‘Title’], PDO::PARAM_STR, 100);
// executing statement
$sth->execute();
$resultSet = $sth->fetchAll();
foreach ( $conn->query($SQL) as $row ) {

//setup the postings
echo "<h2>";
echo "<a href=\"/careers/view-career.php?CareerID=$row[CareerApplicationPostID]&Title=$row[JobDescription]\">$row[JobDescriptionDisplayTitle]</a><br />"; 
echo "</h2><hr />";
echo "<br />";
echo $row['Location'];
echo ", &nbsp;&nbsp;";
echo $row['FullTimePartTime'];
echo  "<div class=\"postedon\">Posted on ";
echo $row['PostedDate'];
echo "</div>";
echo "<br />";echo "<br />";
echo "<strong>Summary:</strong>  ";
echo $row['JobDescriptionSummary'];
echo "<br />";echo "<br />";
echo $row['JobDescriptionEdited'];
echo "<div class=\"linebreak\">&nbsp;</div>";
echo "<a href=\"/careers/files/DigiEmploymentApp.pdf\">Please fill out an application here.</a><br />";
echo "<div class=\"clear\"></div>";
echo "<hr />";	

}

if (!$row[‘CareerApplicationPostID’])
{

header(“Location:index.php”);
exit;
}
$conn = null;


#2

Study this tutorial on PDO. https://phpdelusions.net/pdo

You go through executing the query and then never use $resultSet