I’ve read that the PDO::Prepare function creates a safe query. Does this mean escape

Question

0

Asked: June 18, 20262026-06-18T08:41:44+00:00 2026-06-18T08:41:44+00:00

I’ve read that the PDO::Prepare function creates a safe query. Does this mean escape

0

I’ve read that the PDO::Prepare function creates a safe query. Does this mean escape characters don’t need to be manually literalised? Such as the backslash character.

Report

Leave an answer
Cancel reply

You must login to add an answer.

Need An Account,

1 Answer

Editorial Team · Answer 1 · 2026-06-18T08:41:45+00:00

No it absolutely does not mean that. What you read is misleading.

There is a difference between a “prepared statement” and a “parameterized query.” You want the latter for sanitation purposes.

For example:

$pdo->prepare("SELECT * FROM t1 WHERE col1 = $USER_PROVIDED_VALUE");

is not safe at all even though it is prepared. Instead, you have to do this:

$stmt = $pdo->prepare("SELECT * FROM t1 WHERE col1 = ?");
$stmt->execute(array($USER_PROVIDED_VALUE));

Preparing the query isn’t going to do anything for you in terms of security if you do not properly parameterize it.

Sign Up

Sign In

Forgot Password

The Archive Base Latest Questions

I’ve read that the PDO::Prepare function creates a safe query. Does this mean escape

Leave an answerCancel reply

1 Answer

Leave an answer
Cancel reply