PDO request with multiple types

Question

PDO request with multiple types

Is it safe in terms of preventing SQL injection?

$query = "select * from products where 1";
$searchterms = @preg_split("/[ ,]+/",trim($_REQUEST["textsearch"]));
foreach ($searchterms as &$st) {
    $query .= " and description like ?";
    $st = "%".$st."%";
}
$statement = $dbh->prepare($query);
$statement->execute($searchterms);

I usually do it with help bindParam()

, but it seems much easier, suspicious.

+3

php mysql pdo

TimSim 31 oct. 14 at 20:35

source to share

1 answer

Bill karwin · Accepted Answer · 2014-10-31T20:43:57+0000

Yes, it's safe. This does the same thing bindParam()

from MySQL's point of view.

The reason for using it bindParam()

is that you want to bind variables by reference. Also, the only thing that does bindParam()

is force you to write PHP code for no reason.

PS: Tangential for your question, but using it LIKE

for full text search is bound to be very slow. You must use a real full text index or Sphinx Search. See my presentation Full Text Search Markup .

PDO request with multiple types

More articles: