PHP初心者です。データベースとの接続をサンプルを参考に書いてみたのですが、これでセキュリティ対策は大丈夫でしょうか?確認したところSQL文の動作はしました。
<?php ini_set('display_errors',1); try{ $dbh=new PDO('mysql:host=mysql.phy.lolipop.???;dbname=LAA084???-suarez;charset=utf8','LAA0847???','katotaku???'); $dbh->setAttribute(PDO::ATTR_EMULATE_PREPARES,false); $stmt =$dbh->prepare( "select `id`, `product_vote`,`product_name`,`name`, ( select count(*)+1 from products as t2 where t2.`product_vote` > t1.`product_vote`) as rank from products as t1 where id = id ORDER BY RAND() LIMIT 2"); $stmt->setFetchMode(PDO::FETCH_ASSOC); $stmt->bindParam(1,$id,PDO::PARAM_STR); $stmt->bindParam(2,$product_vote,PDO::PARAM_STR); $stmt->bindParam(3,$product_name,PDO::PARAM_STR); $stmt->execute(); while($row=$stmt->fetch(PDO::FETCH_ASSOC)) { $id = $row['id']; $rank =htmlspecialchars( $row['rank']); $name = $row['name']; $product_name = $row['product_name']; $product_vote = htmlspecialchars($row['product_vote']); ?> <div class="container" > <div class="row"> <div style="margin-top:10px;margin-right:18px;"class=" col-md-1 col-md-offset-3 col-xs-5 col-xs-offset-" > <p style="margin-left:40px;font-weight:bold;color:white;"> <?php echo $name;?> </p> <p class="trimming"> <?php echo $product_name;?> </p> <div style="margin-right:18px;"class=" col-md-3 col-md-offset-3 col-xs-5 col-xs-offset-5" > <p style="color:white;"> <?php echo "RANK:".$rank;?> </p> <input type="image"onclick="location.reload();" id="<?php echo $id;?>"style="width:60px;" src="hearts-xxl.png" > <span id="num" style="color:white;"> <?php echo "Score:". $product_vote; ?> </span> </div> </div> <?php } $stmt=null; }catch(PDOExeption $e){ echo $e->getMessage(); } ?>