Are there any security benefits to using PDO::query vs. mysql_query?

Question

I'm looking to refactor some legacy PHP code, and I know that PDO is more secure with the addition of prepared statements and such, but I am wondering if there are any security benefits of using the PDO::query() method vs. the mysql_query() method. Are there?

Answer 1

You can concat string in PDO prepeared statement from user input, so it is not more secure in any way. Prepeared statments has also some drawbacks. For example you can not create simple query where U use variable amount of data, for example:

WHERE id IN (1,2,5,7,9,23)

If you know that you will use only MySQL, I suggest you to go with mysqli rather than PDO. There is no need for unnecessary abstraction layer.

Answer 2

No, but if you were to use PDO prepared statments instead of PDO:query(), you would then be fairly impervious to injection attacks as it will escape variables for you.

PDO also has other benefits over mysql functions...

prepared statements
transactions
ability to switch drivers
can get result rows as objects
etc

Answer 3

Short of a bug in PDO or mysql_*, the security issues with database queries are dependent on the query being ran, not what is used to connect to the database.

If you create an insecure query with userdata and execute it with PDO::query(), it is just as insecure as it is with mysql_query(). Likewise, if you have a secure query, running it with PDO::query() is effectively the same as with mysql_query().