Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Escape arguments for PDO statements?

Tags:

php

pdo

New to PDO - do I need to escape arguments I'm passing into a PDO prepared statement (such as the following):

$_GET['name'] = "O'Brady";

$sth = $dbh->prepare("INSERT INTO users SET name = :name");
$sth->bindParam(':name', $_GET['name']);
$sth->execute();
like image 641
Matthew Avatar asked May 20 '10 14:05

Matthew


People also ask

Does PDO use prepared statements?

PDO will emulate prepared statements/bound parameters for drivers that do not natively support them, and can also rewrite named or question mark style parameter markers to something more appropriate, if the driver supports one style but not the other.

What type of object is returned by PDO :: prepare ()?

PDO::query() prepares and executes an SQL statement in a single function call, returning the statement as a PDOStatement object.

What PDO execute return?

PDO::exec() executes an SQL statement in a single function call, returning the number of rows affected by the statement. PDO::exec() does not return results from a SELECT statement. For a SELECT statement that you only need to issue once during your program, consider issuing PDO::query().


1 Answers

No. Neither do you need any quotation marks around text strings. Just pass in the variables as they are and the MySQL driver will take care of the rest.

like image 166
Emil Vikström Avatar answered Sep 18 '22 22:09

Emil Vikström