Hello,
i have this code to the insert:
class test {
function __construct() {
$this->table = 'testtable';
}
public function insert($values = array() )
{
foreach ($values as $field => $v)
{
$data[] = ':' . $field;
}
$data = implode(',', $data);
$fields = implode(',', array_keys($values));
$sql = " INSERT INTO $this->table ($fields) VALUES ($data)";
$statement = db::getInstance()->prepare($sql);
foreach ($values as $f => $v)
{
$statement->bindValue(':' . $f, $v);
}
if ($statement->execute() )
{
$result = db::getInstance()->lastInsertId();
}
return $result ;
}
}
but if i pass this code:
$a = new test();
$values = array(
'customer_id' => '13127'
,'product_id' => '2698'
,'notes' => "<script>alert('test')</script>"
);
$last_id = $a->insert($values);
the datbase gets an injection....I thought that the binValue() is safer... Should i need to clean the code before i pass it to teh class?
Sorry if someone think this is a stupid quesiton..