I have this awesome loop from a question I asked yesterday. Previously, I could use mysql_real_escape_string($val) and that would handle protection against injection attacks and such. With PDO, however, there is not quite as simple of a function.
What can I do?
if (($_GET['mode'] == "update") and isset($_GET['id']) and isset($_POST['who'])) {
$query = "update subcontractors set";
$comma = " ";
$whitelist = array("firstname","lastname","address","city","state","zip","phone1","phone2","phone3","email","dob","ssn","website","checks");
foreach($_POST as $key => $val) {
if ( !empty($val) && in_array($key, $whitelist)) {
$query .= $comma . $key . "='" . $val . "'";
$comma = ", ";
}
}
$query .= " where id=" . $_POST['who'];
include "connect.php";
$db->query($query);
} #endif UPDATE SECTION