Arrays as prepared statement for Search form

Question

I'm currently making Search form which has a lot of options with user inputs and checkboxes. I made something what actually does work, but I'm not so sure does it prevent SQL Injection ? I did used prepared statements, but I don't know is this the right way for it.

if(isset($_SERVER['REQUEST_METHOD']))
{

    $_where = array();
    $_params = array();

    if(!empty($_POST['naziv']))
    {
        $_where[] = "JSON_EXTRACT(listing_data, '$.naziv') LIKE ?";
        $_params[] = "%" . trim($_POST['naziv']) . "%";
    }

    if(!empty($_POST['opsteznacajke']))
    {
        foreach($_POST['opsteznacajke'] as $opste)
        {
            $_where[] = "JSON_EXTRACT(listing_data, '$.opsteznacajke') LIKE ?";
            $_params[] = "%" . $opste . "%";
        }
    }

    $_where_sql = implode(" AND ", $_where);

    $stmt = $pdo->prepare("SELECT * FROM listing WHERE $_where_sql");
    $stmt->execute($_params);
    while($row = $stmt->fetch()) {
        $_data_arr[] = json_decode($row['listing_data'], true);
    }

}

edit: I forgot to mention that column 'listing_data' is JSON type.

I'd say this is _not_ vulnerable to SQL injection though I'm not sure how efficient it is to execute multiple `JSON_EXTRACT` calls for the same path. Also, `$_SERVER['REQUEST_METHOD']` is typically **always** set so your first line is probably redundant — Phil, Nov 15 '21 at 02:54

Arrays as prepared statement for Search form

0 Answers0