I wanted to know if, based on your experience, you could tell me if this query is safe against code injection.
$sql='UPDATE mano_de_obra SET
detalle=:detalle,monto=:monto,usuario=:usuario
WHERE proforma = :proforma AND codigo_auto=:codigo_auto';
$row=$this->pdo->prepare($sql)
->execute(array(
':proforma' =>$this->datos[0],
':codigo_auto' =>$this->datos[1],
':monto' =>$this->datos[2],
':detalle' =>$this->datos[3],
':usuario' =>$this->usuario));
header("location: crear-facturas-venta.php?prof=".$this->datos[0]."");
exit;
The code is safe against SQL injection, thanks to PDO. In any case, keep in mind that if you are going to show the data stored in the database on the screen at some point, I recommend you use the function
htmlentities()
that takes care of converting characters such as < or >, among others, to their equivalent in HTML. In this way you avoid the possible case that someone inserts HTML code and damages the functioning of the site.I hope I have answered your question!
For additional security, the PDO static types must be included, this guarantees that the query parameters can be safely interpreted beforehand. For decimal data you should use PDO::PARAM_STR (There are no implicit parameters for decimal, so it is replaced by String).
References:
PDO constants