Home/ Questions/Q 8719915
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-06-13T06:54:43+00:00

Im working with PDO for the first time and im wondering if the below

  • 0

Im working with PDO for the first time and im wondering if the below looks safe, I’ve tried to read up on alternatives to mysql_real_escape and it seems like the ‘prepare’ method is sufficient enough security wise, can anyone clarify this for me? Still appears vulnerable…

$UID = $_GET['id'];

$sth = $conn->prepare("SELECT * FROM directory WHERE user_active != '' AND ID = :uid");
$sth->execute(array(':uid' => $UID));
Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    The prepare method is not only sufficient, it’s preferred over mysql_real_escape().

    Your code works, as $UID will be transmitted with a different protocol than the rest of the SQL statement. Since the database treats it differently, there’s no need to escape.

    • 0