Write For Us
php
pdo

Do PHP PDO prepared statements need to be escaped?

Viewed   69 times

On the PDO::Prepare page it states,

"and helps to prevent SQL injection attacks by eliminating the need to manually quote the parameters"

Knowing this, is there a PHP function like mysql_real_escape_string() that takes care of escaping stings for PDO? Or does PDO take care of all escaping for me?

EDIT

I realize now that I asked the wrong question. My question really was, "What all does PDO take care of for me?" Which I realize now with these answers that it really only removes the need to escape the quotes. But I would still need to do any other PHP sanitize calls on the values that I pass to the execute function. Such as htmlentities(), strip_tags()...etc...

 Answers

5

PDO does not escape the variables. The variables and the SQL command are transferred independently over the MySQL connection. And the SQL tokenizer (parser) never looks at the values. Values are just copied verbatim into the database storage without the possibility of ever causing any harm. That's why there is no need to marshall the data with prepared statements.

Note that this is mostly a speed advantage. With mysql_real_escape_string() you first marshall your variables in PHP, then send an inefficient SQL command to the server, which has to costly segregate the actual SQL command from the values again. That's why it's often said that the security advantage is only implicit, not the primary reason for using PDO.

If you concat the SQL command and don't actually use prepared statments (not good!), then yes, there still is an escape function for PDO: $pdo->quote($string)

Saturday, November 5, 2022
 
e.sil.roz-a4ed1a0682d4
 
e.sil.roz-a4ed1a0682d4
5

However, thanks to this guys. I found out that you need to pass the value by reference with a & before like that :

foreach($Fields as $Name => &$Value){
    $Query->bindParam(':'.$Name, $Value, PDO::PARAM_STR);
}

This was driving me nuts.

Actual quote from PHP.net :

Vili 28-May-2010 12:01

This works ($val by reference):

<?php
foreach ($params as $key => &$val){
    $sth->bindParam($key, $val);
}
?>

This will fail ($val by value, because bindParam needs &$variable):

<?php
foreach ($params as $key => $val) {
    $sth->bindParam($key, $val);
}
?>
Monday, December 12, 2022
 
user2271757
 
user2271757
5

I can find nothing clear in the manual, but looking at the User Contributed Notes, the use of parameters is intended for actual values only, not table names, field names etc.

Normal string concatenation should (and can) be used.

$tablename = "tablename";
$stmt = $dbh->prepare("CREATE TABLE `$tablename` (id foo, int bar,...)");
Sunday, October 2, 2022
 
luis_diaz
 
luis_diaz
5

Well, at second glance your question looks more complex to be answered with just one link

How does php pdo's prepared statements prevent sql injection?

How can prepared statements protect from SQL injection attacks?

What are other pros/cons of using PDO?

Most interesting question.
A greatest PDO disadvantage is: it is peddled and propagated a silver bullet, another idol to worship.
While without understanding it will do no good at all, like any other tool.
PDO has some key features like

  • Database abstraction. It's a myth, as it doesn't alter the SQL syntax itself. And you simply can't use mysql autoincremented ids with Postgre. Not to mention the fact that switching database drivers is not among frequent developer's decisions.
  • Placeholders support, implementing native prepared statements or emulating them. Good approach but very limited one. There are lack of necessary placeholder types, like identifier or SET placeholder.
  • a helper method to get all the records into array without writing a loop. Only one. When you need at least 4 to make your work sensible and less boring.

Does using PDO reduce efficiency?

Again, it is not PDO, but prepared statements that reduces efficiency. It depends on the network latency between the db server and your application but you may count it negligible for the most real world cases.

Monday, September 5, 2022
 
hosein_masbough
 
hosein_masbough
1

Since this question has been written, mysql introduced a spaceship operator that allows us to use a regular query to match a null value

WHERE fieldName <=> :fieldName;

will match both a null or any not null value.

So just write your query right away and execute it as usual

$stmt = $db->prepare('SELECT field FROM table WHERE fieldName <=> :fieldName;');
$stmt->execute(['fieldName' => null]);
$result = $stmt->fetchAll(); // whatever fetch method is suitable

And with dynamically built queries it's all the same.

Saturday, November 19, 2022
 
guillermo_siliceo_trueba
 
guillermo_siliceo_trueba
Only authorized users can answer the search term. Please sign in first, or register a free account.
Not the answer you're looking for? Browse other questions tagged :
php
pdo
 
Share
Related Answers
479
 Are PDO prepared statements sufficient to prevent SQL injection?
126
 PDO prepared statement - what are colons in parameter names used for?
332
 Error while using PDO prepared statements and LIMIT in query
80
 Retrieve (or simulate) full query from PDO prepared statement
293
 PDO prepared statements for INSERT and ON DUPLICATE KEY UPDATE with named placeholders
68
 PHP/PDO: Prepared statements don't work when creating a table?
84
 Do I need to use (int)$id before I use $id in bindValue in Php PDO
50
 Does $_SESSION['username'] need to be escaped before getting into an SQL query?
69
 How do I get meaningful error messages out of MySQL using PDO prepared statements?
69
 Using MySQL functions in PHP PDO prepared statements
Top Answers Related To

php,pdo

76
 PHP PDO bindParam was falling in a foreach
73
 PHP - PDO return escaping slash, how to remove it?
99
 PHP PDO simple insert or update function
179
 PHP/PDO MariaDB Galera Cluster
55
 PHP PDO + Prepare Statement
72
 PHP - PDO fetch loop
76
 How to use column names in PHP PDO without binding columns
89
 PHP, PDO, and Exceptions
69
 PHP PDO retrieve MYSQL DB Size
105
 PHP PDO injection inside a class
Write For Us · Blog · Privacy · Faqs · Terms of Use · Contact us ·