How safe are PDO prepared statement?

Question

I'm wondering if PDO prepared statements can save me from SQL Injection ?

Example: $DBH = new PDO("mysql:host=$host;dbname=$dbname", $user, $pass);

The data I want to insert

$data = array( 'name' => $userInput_1, 'addr' => $userInput_2, 'city' => $userinput_3 );

For instance $userInput_2 is SLQ INJECTION.

$STH = $DBH->("INSERT INTO folks (name, addr, city) value (:name, :addr, :city)");

What will happen after execute in this case ?

$STH->execute($data);

Thank You!

rsids rsids · Accepted Answer · 2012-08-16T12:39:24

All input will be properly escaped & quoted. So using PDO prepare / execute should prevent SQL Injection.

From the php manual:

Calling PDO::prepare() and PDOStatement::execute() for statements that will be issued multiple times with different parameter values optimizes the performance of your application by allowing the driver to negotiate client and/or server side caching of the query plan and meta information, and helps to prevent SQL injection attacks by eliminating the need to manually quote the parameters.

How safe are PDO prepared statement?

The data I want to insert

For instance $userInput_2 is SLQ INJECTION.

What will happen after execute in this case ?

1 Answers