> > >

PHP MCQs

What is the best practice for running MySQL queries in PHP? Consider the risk of SQL injection.

Use mysql_query() and variables: for example: $input = $_POST[‘user_input’]; mysql_query(“INSERT INTO table (column) VALUES (‘” . $input . “‘)”);

Use PDO prepared statements and parameterized queries: for example: $input= $_POST[“user-input”] $stmt = $pdo->prepare(„INSERT INTO table (column) VALUES (“:input”); $stmt->execute(array(„:input‟ => $input));

Use mysql_query() and string escaped variables: for example: $input= $_POST[“user-input”] $input_safe = mysql_real_escape_string($input); mysql_query(“INSERT INTO table (column) VALUES („” . $input. “„)”);

Use mysql_query() and variables with a blacklisting check: for example: $blacklist = array(“DROP”,”INSERT”,”DELETE”); $input= $_POST[“user-input”] if (!$array_search($blacklist))) mysql_query(“INSERT INTO table (column) VALUES („” . $input. “„)”);

Answer

Correct Answer: Use PDO prepared statements and parameterized queries: for example: $input= $_POST[“user-input”] $stmt = $pdo->prepare(„INSERT INTO table (column) VALUES (“:input”); $stmt->execute(array(„:input‟ => $input));

Explanation:

Note: This Question is unanswered, help us to find answer for this one

PHP Skill Assessment

Your Skill Level: Poor

Retake Quizzes to improve it