Lukas
Reputation: 169
Is it needed to filter/sanitize input if prepared statements are used?
Is it needed to filter/sanitize input if prepared statements are used or is it enough to sanitize/filter it on output? If the prepared statements are used the input cannot "hurt" only the output can which will be always sanitized and filtered.
Upvotes: 1
Views: 334
Answers (1)
Vilx-
Reputation: 106970
If you put EVERYTHING that comes from the user into a parameter, then, no, don't sanitize it. A parameter is automatically sanitized. If however you put something directly into an SQL string (concatenate strings), then, yes, you need to sanitize.
Upvotes: 3
Related Questions
- Do i need to sanitize input if using prepared PHP/MySQL queries?
- should i still sanitise input with mysqli?
- Do I have to sanitize user input with prepared SQL statements?
- Do I need to sanitize results from database query?
- Is there a reason to sanitize using (mysqli_real_escape_string) on my $_GET or $_POST variables when using prepared statements?
- Is there any reason to sanitize user input if the input is not going to be stored anywhere?
- PHP SQL Sanitation VS Prepared Statements
- Should i sanitize/filter user input and output when using PHP PDO?
- PHP & mySQLi: Do I still need to check user input when using prepare statements?
- PHP / MYSQL: Sanitizing user input - is this a bad idea?