PDOフォームの入力

Question

現在のところ、私はこのコードを使用していますが、変更するたびに脆弱性に開放されているとは言いがたいので、うまくいきます。$dateToから:dateTo

$from = $_POST['from']; 
    $dateTo = $_POST['dateTo']; 
    $hourTo = $_POST['hoursTo']; 
    $hourFrom = $_POST['hoursFrom']; 
    $minuteTo = $_POST['minutesTo']; 
    $minuteFrom = $_POST['minutesFrom']; 

$sql = "SELECT sum(countAudit) AS AMZL, sum(countAudit) AS OTHER, dateEntered, count(sort_id) AS Audited, sum(error) AS error, timeEntered 
FROM audits WHERE (dateEntered BETWEEN ':from' AND '$dateTo')"; 



$query = $db->prepare($sql); 
$query->bindParam(':from', $from); 
$query->bindParam(':dateTo', $dateTo); 

    $query->execute(); 
foreach($db->query($sql) as $row){ 
    echo $row['AMZL'] . "<br>"; 
} 

Answer 1

プレースホルダーという名前のプレースホルダは、引用符で囲む必要はありません。

Plusは、直接クエリステートメント内の変数を注入していない：それは準備された文の目的を敗北さ

AND '$dateTo')"; 

。

​​と->execute()を混ぜてはいけません。ただまっすぐ->execute()使用：

$db->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION); 
// turn on error reporting 

$from = $_POST['from']; 
$dateTo = $_POST['dateTo']; 
$hourTo = $_POST['hoursTo']; 
$hourFrom = $_POST['hoursFrom']; 
$minuteTo = $_POST['minutesTo']; 
$minuteFrom = $_POST['minutesFrom']; 

$sql = " 
    SELECT 
    sum(countAudit) AS AMZL, 
    dateEntered, 
    count(sort_id) AS Audited, 
    um(error) AS error, 
    timeEntered 

    FROM audits 
    WHERE (dateEntered BETWEEN :from AND :dateTo) 
"; //       ^remove quotes^ 

$query = $db->prepare($sql); 
$query->bindParam(':from', $from); 
$query->bindParam(':dateTo', $dateTo); 
$query->execute(); // execute 
$results = $query->fetchAll(PDO::FETCH_ASSOC); 
// don't forget to fetch the results 

foreach($results as $row){ 
    echo $row['AMZL'] . "<br>"; 
}