I have this code in PHP that uses PDO to search for a publication through a slug:
<?php
$slug = "my-slug";
$conexion = new PDO("mysql:host=localhost;dbname=testdb;charset=utf8","root","");
$conexion->setAttribute(PDO::ATTR_EMULATE_PREPARES, false);
$conexion->setAttribute(PDO::ATTR_ERRMODE,PDO::ERRMODE_EXCEPTION);
// Method 1
$sql = $conexion->prepare("SELECT id,titulo,contenido FROM publicaciones WHERE slug = :slug");
$sql->bindParam(":slug",$slug,PDO::PARAM_STR);
// Method 2
//$slug_full = "%". $slug . "%";
//$sql = $conexion->prepare("SELECT id,titulo,contenido FROM publicaciones WHERE slug LIKE :slug");
//$sql->bindParam(":slug",$slug_full,PDO::PARAM_STR);
$sql->execute();
$resultado = $sql->fetch();
echo $resultado["id"];
?>
I have two questions :
Is the code safe?
How do I prevent the attacker from making multiple queries in the code?