Are PDO prepared statements sufficient to prevent SQL injection?
Posted
by Mark Biek
on Stack Overflow
See other posts from Stack Overflow
or by Mark Biek
Published on 2008-09-25T15:43:35Z
Indexed on
2010/04/21
8:23 UTC
Read the original article
Hit count: 234
Let's say I have code like this:
$dbh = new PDO("blahblah");
$stmt = $dbh->prepare('SELECT * FROM users where username = :username');
$stmt->execute( array(':username' => $_REQUEST['username']) );
The PDO documentation says
The parameters to prepared statements don't need to be quoted; the driver handles it for you.
Is that truly all I need to do to avoid SQL injections? Is it really that easy?
You can assume MySQL if it makes a difference. Also, I'm really only curious about the use of prepared statements against SQL injection. In this context, I don't care about XSS or other possible vulnerabilities.
© Stack Overflow or respective owner