LBier
commented
6 years ago Hm, I thought PDOs prepare statements would be sufficient protection. So your advice is to create a mysqli connection and use both prepare and real_escape_string()? Because PDO::quote doesn't seem to be as effective as real_escape_string().
https://github.com/LBier/VermintideTracker/blob/bf02565ed6e2e6fe3e42c20821693d8847d14fa8/ajax/get_book_options.php#L10
Please have a look about this attack here. Don't just trust your input. https://stackoverflow.com/questions/134099/are-pdo-prepared-statements-sufficient-to-prevent-sql-injection
Solution: $id_map = mysql_real_escape_string($_POST['map']); $select->execute(array("id_map" => $id_map));
I hope you can find all the other cases yourself in your project ;) good luck!