user2362601
Reputation: 361
PDO and Escaping Input: Is this the safest way?
I wanting to check myself before I go live. I read so many different things on the internet but I want to know if this will absolutely protect my code for SQL Injection. If not, what do I need to add or take away?
$idtoapprove = mysql_real_escape_string($_POST['idtoapprove']);
$getcity = $conn->prepare('SELECT city, state FROM needs WHERE ID=:idtoapprove');
$getcity->bindParam(':idtoapprove', $idtoapprove);
$getcity->execute();
$cityrow = $getcity->fetch();
$needcity = $cityrow['city'];
$needstate = $cityrow['state'];
echo "$needcity, $needstate";
Upvotes: 0
Views: 62
Answers (1)
Pekka
Reputation: 449465
No need for mysql_real_escape_string here, actually, it's flat-out wrong (it's from a different, deprecated database library) and can damage your data. (Also, it would be ineffective here anyway - mysql_real_escape_string() is for escaping strings, it is useless for integers.)
The PDO prepared statement is enough.
Upvotes: 5
Related Questions
- Does pdo escape statements or not?
- Escape a pdo query, is that necessary?
- is it safe to not escape my input in sql
- Prevent SQL Injection: Do I need to escape input before binding values into a PDO query
- PDO : Need to escape string or not ?
- How to safely insert data to mysql using php pdo
- Correct way to sanitize input in MySQL using PDO
- Moving from mysql real escape to PDO to make it more robust?
- Do I need to escape DB input?
- Escaping user input from database necessary?