I read that you do not need to validate or sanitize user's input if you use prepared statements.
This however does not make sense to me in the following example.
The user gives his email address.
I normally run this
Validation code
// to validate data
if (!filter_var($_POST['email'], FILTER_VALIDATE_EMAIL)) {
header("Location: index.php");
die("Wrong email-address");
}
The statement says that we do not need to validate data if we use prepared statements, as follows
Code without the validation code
// to get email-address nad passhash from the db
$result = pg_prepare($dbconn, "query2", 'SELECT email, passhash_md5
FROM users WHERE email = $1
AND passhash_md5 = $2;');
$result = pg_execute($dbconn, "query2", array($_POST['email'], $_POST['password']));
if(!$result) {
echo "An error occurred";
exit;
}
I am not sure if we need the validation code or not in the last code, since we use pg_prepare
and pg_execute
.
Do you need to consider validating and sanitizing user's input if you use prepared statements?