I'm wondering if PDO prepared statements can save me from SQL Injection ?

Example: $DBH = new PDO("mysql:host=$host;dbname=$dbname", $user, $pass);

The data I want to insert

$data = array( 'name' => $userInput_1, 'addr' => $userInput_2, 'city' => $userinput_3 );

For instance $userInput_2 is SLQ INJECTION.

$STH = $DBH->("INSERT INTO folks (name, addr, city) value (:name, :addr, :city)");

What will happen after execute in this case ?

$STH->execute($data);

Thank You!

---

All input will be properly escaped & quoted. So using PDO prepare / execute should prevent SQL Injection.

From the php manual:

Calling PDO::prepare() and PDOStatement::execute() for statements that will be issued multiple times with different parameter values optimizes the performance of your application by allowing the driver to negotiate client and/or server side caching of the query plan and meta information, and helps to prevent SQL injection attacks by eliminating the need to manually quote the parameters.

链接地址: http://www.djcxy.com/p/93792.html

上一篇: 连接

下一篇: PDO准备好的声明有多安全？