Skip to content
Advertisement

SQL injection curiosity

Student here,

just learned that in order to avoid SQL injections it’s better to use the prepare/execute duo:

$pdo = new PDO ('mysql:host=something;port=something dbname=something','name','pswd');
$sql = "SELECT name FROM users WHERE email = :em AND password = :pw";
$stmt = $pdo -> prepare($sql);
$stmt -> execute (array());

instead of the using:

$stmt = $pdo -> query($sql);

the question is:

In what situations does anybody use query instead, since we have a pretty quick way to secure ourselves from SQL injections, does anybody use the query method anyway? And if so, why?

Advertisement

Answer

Virtually never; you will know if you are in a situation you cannot use it.

Note that even if you are generating queries on the fly, you should still generate the string with the placeholders and the set of arguments independently of each other.

User contributions licensed under: CC BY-SA
4 People found this is helpful
Advertisement