Can someone confirm this: If I am using PDO::PARAM, I don’t need to Filter sanitize to inject into mysql database, since PDO:PARAM already does it…
Share
Sign Up to our social questions and Answers Engine to ask questions, answer people’s questions, and connect with other people.
Login to our social questions & Answers Engine to ask questions answer people’s questions & connect with other people.
Lost your password? Please enter your email address. You will receive a link and will create a new password via email.
Please briefly explain why you feel this question should be reported.
Please briefly explain why you feel this answer should be reported.
Please briefly explain why you feel this user should be reported.
Can someone confirm this: If I am using PDO::PARAM, I don’t need to Filter sanitize to inject into mysql database, since PDO:PARAM already does it…
By “PDO::PARAM” I suppose you mean binding parameters into prepared statements.
Yes, if you properly use prepared statements, you do not need to do anything more to avoid SQL injection, because the database has a chance to clearly see the difference between the SQL statement and the user-supplied values. Binding parameters does not sanitize or escape those values, it sidesteps the whole business of sanitizing and escaping by separating statements from data.