Ask a Question
Advertise on boostr.in
Organizational Research By
Surprising Reserch Topic
Are PDO prepared statements sufficient to prevent SQL injection?
Let's say I have code like this:
$dbh = new PDO("blahblah");
$stmt = $dbh->prepare('SELECT * FROM users where username = :username');
$stmt->execute( array(':username' => $_REQUEST['username']) );
The PDO documentation says:
The parameters to prepared statements don't need to be quoted; the driver handles it for you.
Is that truly all I need to do to avoid SQL injections? Is it really that easy?
You can assume MySQL if it makes a difference. Also, I'm really only curious about the use of prepared statements against SQL injection. In this context, I don't care about XSS or other possible vulnerabilities.
php security p
May 8, 2015
to add a comment.
Related Hot Questions
Government Jobs Opening