Lee
Reputation: 3969
PDO::Prepare safety
I've read that the PDO::Prepare function creates a safe query. Does this mean escape characters don't need to be manually literalised? Such as the backslash character.
Upvotes: 3
Views: 75
Answers (1)
Explosion Pills
Reputation: 191729
No it absolutely does not mean that. What you read is misleading.
There is a difference between a "prepared statement" and a "parameterized query." You want the latter for sanitation purposes.
For example:
$pdo->prepare("SELECT * FROM t1 WHERE col1 = $USER_PROVIDED_VALUE");
is not safe at all even though it is prepared. Instead, you have to do this:
$stmt = $pdo->prepare("SELECT * FROM t1 WHERE col1 = ?");
$stmt->execute(array($USER_PROVIDED_VALUE));
Preparing the query isn't going to do anything for you in terms of security if you do not properly parameterize it.
Upvotes: 5
Related Questions
- Are PDO prepared statements sufficient to prevent SQL injection?
- Pdo wrapper function is safe?
- A safer PDO::prepare?
- how safe are PDO prepared statements
- Safest way of use of PDO
- PDO,prepare use
- PDO prepared statement security
- PHP PDO Security
- PDO Prepare statements
- Safely using prepared statements to query database