user796443
Reputation:
Using PDO without binding
$stmt = $conn->prepare('SELECT * FROM users WHERE user_id = :user_id');
$stmt->execute(array(':user_id' => $_GET['user_id']));
$result = $stmt->fetchAll(PDO::FETCH_OBJ);
I'm using PDO like that, do I need to sanitise GET parameter?
I know if I do $stmt->bindParam(':user_id', $_GET['user_id'], PDO::PARAM_INT); than it is not a problem. But is my way safe?
Upvotes: 5
Views: 728
Answers (1)
deceze
Reputation: 522382
Yes, it's safe. The only differences between execute and bind* are:
executeaccepts several parameters at once, while you have tobind*each one individuallybind*allows you to specify the parameter type, whileexecutebinds everything as strings
Passing parameters to execute is mostly a convenience shorthand, it's still safe.
Upvotes: 9
Related Questions
- Can I "unsanitize" during a PDO SELECT?
- Prevent SQL Injection: Do I need to escape input before binding values into a PDO query
- How do I sanitize input with PDO?
- Omitting bindParam with PDO is safe?
- PDO without mysql_real_escape_string and bindValue
- Correct way to sanitize input in MySQL using PDO
- Sanitizing Form Input in PDO-based Query
- pdo insert sanitizing html on server, not locally
- PHP PDO Sanitize variables
- sanitizing variables with PDO