0

Hello,

i have this code to the insert:

class test {

function __construct()   {
    $this->table = 'testtable';
}


public function insert($values = array() )
    {
        foreach ($values as $field => $v)
        {
            $data[] = ':' . $field;
        }

        $data   = implode(',', $data);
        $fields = implode(',', array_keys($values));

        $sql = " INSERT INTO $this->table  ($fields) VALUES ($data)";

        $statement = db::getInstance()->prepare($sql);

        foreach ($values as $f => $v)
        {
            $statement->bindValue(':' . $f, $v);
        }

        if ($statement->execute() ) 
        {
            $result = db::getInstance()->lastInsertId();
        }

    return $result  ;
    }

}

but if i pass this code:

$a = new test();
$values = array(
                 'customer_id'  =>  '13127'
                ,'product_id'   =>  '2698'
                ,'notes'        =>  "<script>alert('test')</script>"
            );
$last_id = $a->insert($values);

the datbase gets an injection....I thought that the binValue() is safer... Should i need to clean the code before i pass it to teh class?

Sorry if someone think this is a stupid quesiton..

3
Contributors
2
Replies
5
Views
4 Years
Discussion Span
Last Post by cereal
0

i would suggest sanitising the data before doing anything, be it before the class, or passing the data to a function with in the class

This topic has been dead for over six months. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.