Nov 1, 2010
I'm new to PDO and just started using it. I already inserted, updated and deleted data using it and it's very simple to use the basics.
View 2 Replies
In a test environment I inserted some HTML codes to the database. Like:
I'm trying this out, because I'm using a simple WYSIWYG editor on my site for the users and I want to be sure the data is safe.
Using the following:
$stmt = $dbh->prepare("SELECT * FROM naruto WHERE id = :id AND name = :name");
/*** bind the paramaters ***/
$stmt->bindParam(':id', $id, PDO::PARAM_INT);
$stmt->bindParam(':name', $name, PDO::PARAM_STR, 5);
Where name is the different HTML codes, the HTML is just executed. So the text is bold and not in the format text< /b>.
I'm wondering if there is a function for PDO to stop this. Or do I just need to use htmlentities and strip_tags?