SQL injection is a technique where malicious users can inject SQL commands into an SQL statement, via web page input.
Binding is the way to go for direct queries in Magento.
As
$write = Mage::getSingleton("core/resource")->getConnection("core_write");
$query = "insert into table_name(name, email, company, description) values (:name, :email, :company, :desc)";
$binds = array(
'name' => "name' or 1=1",
'email' => "email",
'company' => "company",
'desc' => "desc",
);
$write->query($query, $binds);
No comments:
Post a Comment