current community

your communities

more stack exchange communities

company blog
Stack Exchange Inbox Reputation and Badges
tour help
Code Review Stack Exchange is a question and answer site for peer programmer code reviews. Join them; it only takes a minute:

Sign up
Here's how it works:
  1. Anybody can ask a question
  2. Anybody can answer
  3. The best answers are voted up and rise to the top
up vote 0 down vote favorite

I'm trying to fetch and convert data into JSON format. Some days ago I was using MySQLi but someone told me this is susceptible to SQL injections when I asked a question for code review. Now I'm trying to use PDO.

PHP MySQLi (OOP-based)

$CompanyRes = array();
$Company = "select * from `ws_company` where `cm_status` = 1";
$CompanyQuery = mysqli_query($this->connection,$Company);
while($rowCom = mysqli_fetch_assoc($CompanyQuery)){
    $CompanyRes[] = $rowCom;
}

PDO-based

$CompanySts=$this->pdoConnection->prepare("select * from `ws_company` where `cm_status` = 1");
$CompanySts->execute();
header("Content-type: application/json; charset=utf-8");
$CompanyRes = array();
while ($row = $CompanySts->fetch(PDO::FETCH_ASSOC)) {
    $CompanyRes[] = array_map('utf8_encode', $row);
}

Both are same work for me, but I wanted to know if the second one is correct or not, and if I'm missing something.

share|improve this question
    
The code susceptible to SQL injection, in your previous question was the insertion query. – hjpotter92 May 10 at 4:41
    
There is no chance of SQL Injection when you are not passing any user input in query; so in this select query there is no change of SQL Injection; And if you want to prevent SQL Injection only PDO use can't help you until you don't use prepared statement; – itzmukeshy7 May 10 at 5:27

Your Answer

 
discard

By posting your answer, you agree to the privacy policy and terms of service.

Browse other questions tagged or ask your own question.