Home/ Questions/Q 8290397
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-06-08T12:48:08+00:00

Similar questions have probably been asked before, and sry for that. Need to be

  • 0

Similar questions have probably been asked before, and sry for that. Need to be sure that i protect from SQL injections correct.

I have just converted my php sql statments to pdo statments. For the old sql queries I used to use mysql_real_escape_string, strip_tags(), and maybe htmlenteties()(not sure if id did html).

Is it necessery to use anything like this in the pdo statments. Have heard some places that this is not necessary in pdo. Whats true/false ?

And: I have always used to write the queries like the first example below:

SELECT `id` , `password` FROM  `users` WHERE `username` = '$username'
SELECT id, password FROM users WHERE username = '$username'

Is the example 1 more safer(from sql injections) than example 2 or is it just wasted time doing it ?

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    If you are using PDO you should be using prepared statements with parameters. There are some examples in the documentation.

    /* Execute a prepared statement by passing an array of values */
$sql = 'SELECT name, colour, calories
    FROM fruit
    WHERE calories < :calories AND colour = :colour';
$sth = $dbh->prepare($sql, array(PDO::ATTR_CURSOR => PDO::CURSOR_FWDONLY));
$sth->execute(array(':calories' => 150, ':colour' => 'red'));
$red = $sth->fetchAll();
$sth->execute(array(':calories' => 175, ':colour' => 'yellow'));
$yellow = $sth->fetchAll();

    If you use this approach then there is no need for escaping strings.

    • 0