Page 1 of 1

Escape username/password in PDO connection

Posted: Tue Apr 08, 2008 6:06 am
by georgeoc
Hi all,

What is the correct way to filter/escape user-inputted values for database host, name, username and password, to be used in a PDO connection?

Thanks

Re: Escape username/password in PDO connection

Posted: Tue Apr 08, 2008 11:20 am
by Christopher
Use prepared statements or see the manual:

http://www.php.net/manual/en/function.PDO-quote.php

Re: Escape username/password in PDO connection

Posted: Tue Apr 08, 2008 11:27 am
by georgeoc
I'm talking about the strings that are used in the PDO constructor - the host, database engine & db name which form the dsn, plus the username and password. Do these strings need escaping when working with user-submitted info (i.e. when they first configure the application).

I don't know whether these fields represent a possible target for attack.