PDO :: Security Preparation
1 answer
No, it doesn't mean at all. What you are reading is misleading.
There is a difference between a "prepared statement" and a "parameterized query". You want the latter to be for sanitary purposes.
For example:
$pdo->prepare("SELECT * FROM t1 WHERE col1 = $USER_PROVIDED_VALUE");
not safe at all although it is prepared. Instead, you should do this:
$stmt = $pdo->prepare("SELECT * FROM t1 WHERE col1 = ?");
$stmt->execute(array($USER_PROVIDED_VALUE));
Preparing a query won't do anything for you from a security standpoint if you don't parameterize it correctly.
+5
source to share