PDO execute($input_parameter) protects from sql injections as bindParam/bindValue?

Question

Does execute($input_parameter) protect from sql injections just like bindParam/bindValue?

If the answer is yes, bindParam()/bindValue()/execute() are invulnerable to any sql-inject attack? Or I need to take measures to prevent such attacks?.

Thanks for help!.

Answer 1

As far as execute($input_parameters) being as safe as separate bindParam/bindValue/execute steps, the answer would appear to be basically, yes.

However, you might still need to take further measures depending on how you constructed the query string that you pass to your PDO::prepare call. It is not always possible to parameter-ize everything in the prepared query string. For example, you can't use a parameter for a table or column name. If you allow user data or any external data into that query string you must still sanitize that data before passing the string to prepare. Refer to these stackoverflow questions for more details:

• how safe are PDO prepared statements
• Are PDO prepared statements sufficient to prevent SQL injection?

In general you should be filtering all input data anyway, so if you wanted to be extra safe you could sanitize any input data that is destined for SQL-type stuff using the filters appropriate for your needs, or even writing a FILTER_CALLBACK custom function if you wish. In the case of table or column names coming from user-provided data, a common validation technique is to check the values against arrays of allowable names.

Hope this helps. Good luck. Stay safe! ;)