Sign Up to our social questions and Answers Engine to ask questions, answer people’s questions, and connect with other people.
Login to our social questions & Answers Engine to ask questions answer people’s questions & connect with other people.
Lost your password? Please enter your email address. You will receive a link and will create a new password via email.
Please briefly explain why you feel this question should be reported.
Please briefly explain why you feel this answer should be reported.
Please briefly explain why you feel this user should be reported.
I read that with PDO you don’t need to escape variables if you use prepare and pass the variables in execute:
$st = $dbh->prepare("INSERT INTO mytable (name,email) VALUES (?,?)");
$st->execute(array($_POST['name'], $_POST['email']));
Is this tru?
Or do I still need to do something with $_POST there?
On prepared statements, no escaping is necessary (and escaping things yourself will result in double-escaping, causing escaped data to be written to the DB).
However, PDO prepared statements CANNOT handle all query variants, and sometimes you’ll have to insert “foreign” data directly into a query string, which means you’ll be responsible for escaping it properly. In particular, dynamic queries where the table and/or field names change cannot be specified using prepared statements. e.g.
cannot be done. Only values can specified with placeholders.