I'd just like to verify if using prepared statements in MySQL prevents SQL injection.
Will the following code prevent all SQL injection attacks?
$var = $_GET['q'];
$trimmed = trim($var);
if ($trimmed != NULL) {
$get_fighters = $DBH->prepare(
'SELECT *
FROM fighters
WHERE name LIKE :searchTerm
OR nickname LIKE :searchTerm
OR born_in_city LIKE :searchTerm
OR born_in_state LIKE :searchTerm
OR born_in_country LIKE :searchTerm
ORDER BY name ASC');
$get_fighters->bindValue(':searchTerm', '%' . $trimmed . '%', PDO::PARAM_STR);
$get_fighters->setFetchMode(PDO::FETCH_ASSOC);
$get_fighters->execute();
$check_results_fighters = $get_fighters->rowCount();
$get_events = $DBH->prepare(
'SELECT *
FROM events
WHERE event_name LIKE :searchTerm
OR event_arena LIKE :searchTerm
OR event_city LIKE :searchTerm
OR event_state LIKE :searchTerm
OR event_country LIKE :searchTerm
OR organization LIKE :searchTerm
ORDER BY event_date DESC');
$get_events->bindValue(':searchTerm', '%' . $trimmed . '%', PDO::PARAM_STR);
$get_events->setFetchMode(PDO::FETCH_ASSOC);
$get_events->execute();
$check_results_events = $get_events->rowCount();
}
PDO::preparedocs: "You cannot use a named parameter marker of the same name twice in a prepared statement." (Though emulated prepared statements in some versions of PHP with the PDO/MySQL driver do support repeated names, it's not safe to rely on this; see also "php pdo prepare repetitive variables".) Always RTM. – outis