New to PDO - do I need to escape arguments I'm passing into a PDO prepared statement (such as the following):
$_GET['name'] = "O'Brady";
$sth = $dbh->prepare("INSERT INTO users SET name = :name");
$sth->bindParam(':name', $_GET['name']);
$sth->execute();
PDO will emulate prepared statements/bound parameters for drivers that do not natively support them, and can also rewrite named or question mark style parameter markers to something more appropriate, if the driver supports one style but not the other.
PDO::query() prepares and executes an SQL statement in a single function call, returning the statement as a PDOStatement object.
PDO::exec() executes an SQL statement in a single function call, returning the number of rows affected by the statement. PDO::exec() does not return results from a SELECT statement. For a SELECT statement that you only need to issue once during your program, consider issuing PDO::query().
No. Neither do you need any quotation marks around text strings. Just pass in the variables as they are and the MySQL driver will take care of the rest.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With