Clever Geek Handbook

PDO :: Security Preparation

I read that the function PDO::Prepare

creates a secure request. Does this mean that evacuation symbols do not have to be literally manually limed? For example, the backslash character.

+3


source to share


1 answer


No, it doesn't mean at all. What you are reading is misleading.

There is a difference between a "prepared statement" and a "parameterized query". You want the latter to be for sanitary purposes.

For example:

$pdo->prepare("SELECT * FROM t1 WHERE col1 = $USER_PROVIDED_VALUE");


not safe at all although it is prepared. Instead, you should do this:

$stmt = $pdo->prepare("SELECT * FROM t1 WHERE col1 = ?");
$stmt->execute(array($USER_PROVIDED_VALUE));

Preparing a query won't do anything for you from a security standpoint if you don't parameterize it correctly.

+5


source






More articles:


All Articles