Are PDO prepared statements sufficient to prevent SQL injection?

Posted by Mark Biek on Stack Overflow See other posts from Stack Overflow or by Mark Biek
Published on 2008-09-25T15:43:35Z Indexed on 2010/04/21 8:23 UTC
Read the original article Hit count: 234

Filed under:
|
|
|

Let's say I have code like this:

$dbh = new PDO("blahblah");

$stmt = $dbh->prepare('SELECT * FROM users where username = :username');
$stmt->execute( array(':username' => $_REQUEST['username']) );

The PDO documentation says

The parameters to prepared statements don't need to be quoted; the driver handles it for you.

Is that truly all I need to do to avoid SQL injections? Is it really that easy?

You can assume MySQL if it makes a difference. Also, I'm really only curious about the use of prepared statements against SQL injection. In this context, I don't care about XSS or other possible vulnerabilities.

© Stack Overflow or respective owner

Related posts about php

Related posts about sql-injection