Time and time again I’ve read on Stackoverflow that I should be using PDO to access MySQL because it is safer. I recently changed some of my select and insert statements to PDO using some online tutorial and found them to be very similar to my original code. This makes me think that perhaps I’ve missed something.
So, my question is what makes PDO safer than normal mysql? Is there anything that would make those examples safer?
EDIT: I’ve pasted my insert code below. If you can see some ways of making it safer please let me know.
include 'dataB3S3.php';
try {
$dbh = new PDO("mysql:host=$hostname;dbname=$dbname", $username, $password);
/*** connect to DB ***/
/*** INSERT data ***/
$count = $dbh->exec("INSERT INTO $table(`instance` ,`uid`,`teid`) VALUES (NULL,'$userID','$teid')");
/*** display the id of the last Auto INSERT ***/
$lastInsertValue=$dbh->lastInsertId();
/*** close the database connection ***/
$dbh = null;
}
You’ve missed one of the main benefits, prepared statements. Using them instead of directly embedding variables in your query like your sample code protects you better against accidental SQL injection vulnerabilities.