Do PHP PDO prepared statements need to be escaped?

 

On the PDO::Prepare page it states,

"and helps to prevent SQL injection attacks by eliminating the need to manually quote the parameters"

Knowing this, is there a PHP function like mysql_real_escape_string() that takes care of escaping stings for PDO? Or does PDO take care of all escaping for me?

EDIT

I realize now that I asked the wrong question. My question really was, "What all does PDO take care of for me?" Which I realize now with these answers that it really only removes the need to escape the quotes. But I would still need to do any other PHP sanitize calls on the values that I pass to the execute function. Such as htmlentities(), strip_tags()...etc...

PDO does not escape the variables. The variables and the SQL command are transferred independently over the MySQL connection. And the SQL tokenizer (parser) never looks at the values . Values are just copied verbatim into the database storage without the possibility of ever causing any harm. That's why there is no need to marshall the data with prepared statements.

Note that this is mostly a speed advantage. With mysql_real_escape_string() you first marshall your variables in PHP, then send an inefficient SQL command to the server, which has to costly segregate the actual SQL command from the values again. That's why it's often said that the security advantage is only implicit, not the primary reason for using PDO.

If you concat the SQL command and don't actually use prepared statments (not good!), then yes, there still is an escape function for PDO: $pdo->quote($string)

Yes and no:

  • Literals which you embed into the statement string need to be escaped as normal.
  • Values which you bind to the prepared statement are handled by the library.

    • Very few people here understands what escaping is and when to use it.
    Escaping itself do not make any data "safe". it just escape delimiters, to distinguish a delimiter from a part of data. field = 'it's me' will cause an error, while field = 'it's me' will not. That's the only purpose of escaping. So, it works only when you use quotes. If you don't - escaping become useless.

    Do you use quotes with placeholders? No. Thus, no escaping would be sensible.

    When you use binding, it works very different way.
    It does not send the whole query to the server, but send your prepared query separate from the binded data. So it cannot interfere. And thus no injection possible.

    链接地址: http://www.djcxy.com/p/16752.html

    上一篇: 准备()准备语句(不是PDO)阻止SQL

    下一篇: PHP PDO准备的语句是否需要转义?