Can I fully prevent SQL injection by PDO Prepared statement without bind

I am very new to PDO, sorry if you feel I am asking stupid question.
Normal and simple PDO Prepared statement without Bind_param :

$sql = $db->prepare('SELECT * FROM employees WHERE name = ?');
$sql->execute(array($name));
$rows = $sql->fetchAll();

with Bind_param :

$sql->bind_param("s", $name); //s means the database expects a string

I heard people said : "The protection comes from using bound parameters, not from using prepared statement" . May I know what is bound parameters ? Bind_param is bound parameter ? If yes, then the normal and simple PDO Prepared statement without Bind_param CANNOT fully prevent SQL injection?


You're doing it right. The bound parameters are the one declared in a "prepared statement" using ?. Then they are bound using execute() with their value as a parameter to be bound to the statement.


That is true.

I have no expert information on this but from what I understand, the problem with SQL injection is that the SQL server receives a string and regards it as true. The server has no means of knowing if, for instance, the DUMP commands were made intentionally or not.

With bound parameters, you say to the SQL server "Hey look, this is the query, and I expect parameters here, here and there. Oh and btw, here are the values". This approach is different because SQL now knows the actual expression it has to execute and what the values are. This allows SQL to insert the values into the expression, without modifying the expression itself.


OWASP gave me the same doubt, following their guidelines against SQL injection "SQL_Injection_Prevention_Cheat_Sheet" they say:

Defense Option 1: Prepared Statements (with Parameterized Queries):

  • PHP – use PDO with strongly typed parameterized queries (using bindParam())
  • so it seems as if you should use bind_param() at all times. I don't use it because I converted thousands of vulnerable DAOs with an automated script and bind_param() would require me to hand edit them all.

    I have yet to see examples of injection without bind_param() used, so I am confident it is not necessary.

    链接地址: http://www.djcxy.com/p/93764.html

    上一篇: 我应该什么时候使用准备好的陈述

    下一篇: 我可以通过PDO Prepared语句完全防止SQL注入,无需绑定