Home/ Questions/Q 8240605
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-06-07T20:32:38+00:00

I have heard that using PREPARE and EXECUTE in a SQL statement will sanitize

  • 0

I have heard that using PREPARE and EXECUTE in a SQL statement will sanitize user-supplied data into something incapable of SQL injection. Is this true?

My original query is this:

$query = 
"SELECT * FROM sales_orders 
WHERE ksisoldby ILIKE '".$user."'";

This is my best guess for changing it to a prepare/execute statement:

 <?php
$id = $_POST['id'];
$search = $_POST['user_supplied_search_term'];

PREPARE search_query_function (varchar, varchar) AS

SELECT * FROM sales_orders 
WHERE ksisoldby ILIKE '$1'";

EXECUTE search_query_function($id, $search);
?>

Is this written/invoked correctly? There are also some built in php objects (PDO) that I have read about. Should I be using those instead or in conjunction? Thanks for help on this sort of broad question.

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    You incorporate prepare() and execute() in PHP by using prepared statements, which are available when you use PDO. This extensions is responsible for creating the appropriate PREPARE and EXECUTE statements for your database according to the database driver you have selected.

    Here is an example adapted from the PHP manual using prepare() and execute().

    $sth = $dbh->prepare('SELECT * FROM sales_orders 
    WHERE ksisoldby ILIKE ?');
$sth->execute( array( $_POST['user_supplied_search_term']));

    This will take care of the parameter escaping for you and create an SQL statement similar to:

    SELECT * FROM sales_orders 
    WHERE ksisoldby ILIKE 'something'

    So you need to adapt the above code to include your SQL statement within the call to prepare(), which requires you to add placeholders to where you want your parameters to be included. Then you call execute(), which will add in the values passed to it.

    • 0