Possible Duplicate: How prepared statements can protect from SQL injection attacks? For those of

Question

0

Asked: June 17, 20262026-06-17T23:24:16+00:00 2026-06-17T23:24:16+00:00

Possible Duplicate: How prepared statements can protect from SQL injection attacks? For those of

0

Possible Duplicate:
How prepared statements can protect from SQL injection attacks?

For those of us that are new to PDO, we get that it is more secure and that it is better to use, but what I can’t wrap my brain around is, how is this secured?

<?php
$db = new PDO('mysql:host=localhost;dbname=testdb;charset=UTF-8', 'username', 'password');
$db->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
$db->setAttribute(PDO::ATTR_EMULATE_PREPARES, false);
try {
    //connect as appropriate as above
    $db->query('hi'); //invalid query!
} catch(PDOException $ex) {
    echo "An Error occured!"; //user friendly message
    some_logging_function($ex->getMessage());
}
foreach($db->query('SELECT * FROM table') as $row) {
    echo $row['field1'].' '.$row['field2']; //etc...
}
?>

Mind you, I do understand what it does, but what exactly does it do to sanitize input? I know mysql_* use mysql_real_escape_string which just put the literal \. Does PDO use this same system? If not, what are we relying on as far as sanitation?