Possible Duplicate: Php PDO::bindParam data types.. how does it work? Could someone explain –

Question

0

Editorial Team

Asked: June 17, 20262026-06-17T08:39:31+00:00 2026-06-17T08:39:31+00:00

Possible Duplicate: Php PDO::bindParam data types.. how does it work? Could someone explain –

0

Possible Duplicate:
Php PDO::bindParam data types.. how does it work?

Could someone explain – why is prepared statement more secure:

$stmt = $conn->prepare("INSERT INTO users (user, pass, salt) 
VALUES (:user, :pass, :salt");
    $stmt->bindParam(":user", $user);
    $stmt->bindParam(":pass", $pass);
    $stmt->bindParam(":salt", $salt);
    $stmt->execute();

Insert query is firstly prepared with placeholders, then values is placed instead placeholders, but – where is that famous secure point ?

Report

Leave an answer
Cancel reply

You must login to add an answer.

Need An Account,

1 Answer

Editorial Team · Answer 1 · 2026-06-17T08:39:32+00:00

The values are not placed into the placeholders (depending on the backend, some do emulation but lets not talk about them, as that’s not prepared statements). The issue with traditional SQL is that the commands and data are mixed. Prepared statements get around that issue by intentionally keeping them separate at all times. Prepared statements aren’t just a fancy way to automatically do mysqli_real_escape_string.

Sign Up

Sign In

Forgot Password

The Archive Base Latest Questions

Possible Duplicate: Php PDO::bindParam data types.. how does it work? Could someone explain –

Leave an answerCancel reply

1 Answer

Leave an answer
Cancel reply