Does PHP PDO need injection prevention?

D

djalam

Member
Messages
89
Reaction score
2
Points
8
This is probably a stupid question, but i'll ask it anyways,
Through mysql_connect you need to do all sorts of stuff to prevent database injection etc magic quotes ...etc

Anywho, do we have to take some kind of provisions for PDO as well if we will be using quires with unnamed placeholders "INSERT INTO folks (name, addr, city) values (?, ?, ?)
or INSERT INTO folks (name, addr, city) value :)name, :addr, :city)

Or do we just grab the the POST or GET data and relay it directly in to the query values.
 
Last edited:
M

misson

Community Paragon
Community Support
Messages
2,572
Reaction score
72
Points
48
There is one subtly about prepared statements that makes it not such a stupid question (only prepared statement parameters are invulnerable to injection; the statement itself can still contain injection vectors if any user input is interpolated into the statement itself). However, the question of SQL injection and prepared statements has been covered before in exacting detail.
 
Last edited:
D

djalam

Member
Messages
89
Reaction score
2
Points
8
Gotcha Thanx mission, always good help. Checking out the links now.
 
You must log in or register to reply here.
Top