PDO :: Security Preparation
I read that the function PDO::Prepare
creates a secure request. Does this mean that evacuation symbols do not have to be literally manually limed? For example, the backslash character.
+3
Lee
source
to share
1 answer
No, it doesn't mean at all. What you are reading is misleading.
There is a difference between a "prepared statement" and a "parameterized query". You want the latter to be for sanitary purposes.
For example:
$pdo->prepare("SELECT * FROM t1 WHERE col1 = $USER_PROVIDED_VALUE");
not safe at all although it is prepared. Instead, you should do this:
$stmt = $pdo->prepare("SELECT * FROM t1 WHERE col1 = ?");
$stmt->execute(array($USER_PROVIDED_VALUE));
Preparing a query won't do anything for you from a security standpoint if you don't parameterize it correctly.
+5
Explosion pills
source
to share