DEV Community

Discussion on: Add google-like search query to your website or Database

andreasvirkus profile image

That's great! But do not do this in production đŸ˜¬
You should always sanitize the user input and never ever use a query param in your SQL, as that's injection 101.

trinly01 profile image
Trinmar Boado Author • Edited on

What is not safe on the code?
the $_GET['regex'] was bound thru $stmt->execute()

There's no difference in safety between passing all the parameters as an array to execute, or using bindParam or bindValue.

Tried this simple injection and it doesn't work