Recently, my database experienced an attack from mysql injections. I did not know about injections before this incident. However, I have been studying up on what it is and how to prevent it, but I cannot seem to get anything to work for this script when I try to add sql injection protection (it works fine on it's own). How could a pdo script like this add sql injection protection?
<?php
$username = $_GET["hits"];
$sq = "something";
$pu = $_GET["something"];
$jjj = "something";
$fff = "something";
$dbh = new PDO("mysql:host=$sq;dbname=$pu", $jjj, $fff);
$sql = 'SELECT autoj FROM tabl WHERE username = ?';
$params = array( $username );
if ( isset( $_GET['q'] ) ) {
$sql .= " AND myname LIKE ?";
$params []= '%'.$_GET['q'].'%';
}
$q = $dbh->prepare( $sql );
$q->execute( $params );
$doc = new DOMDocument();
$r = $doc->createElement("mutablerec" );
$doc->appendChild( $r );
foreach ( $q->fetchAll() as $row) {
$e = $doc->createElement( "mutablerec" );
$e->setAttribute( 'autoj', $row['autoj'] );
$r->appendChild( $e );
}
print $doc->saveXML();
?>
Edit: It appears that my prepare and execute should prevent me. However, do I need to include: $pdo->setAttribute(PDO::ATTR_EMULATE_PREPARES, false);
