Jim's Depository · Avoiding SQL Injection Attacks in PHP PDO

googlebot	51.1%
Firefox	17.3%
Chrome	9.1%
IE 6	8.5%
hiding	5.8%
Safari	1.9%
Opera	1.3%
iPhone	1.3%
IE 7	1.1%
IE 8	1.1%
IE 5	0.9%
Wordpress	0.2%
Konqueror	0.1%
yahoobot	0.1%
Win CE	0.0%
unknown	0.0%

googlebot

51.1%

Firefox

17.3%

Chrome

9.1%

IE 6

8.5%

hiding

5.8%

Safari

1.9%

Opera

1.3%

iPhone

1.3%

IE 7

1.1%

IE 8

1.1%

IE 5

0.9%

Wordpress

0.2%

Konqueror

0.1%

yahoobot

0.1%

Win CE

0.0%

unknown

0.0%

Avoiding SQL Injection Attacks in PHP PDO

In coding femtoblogger I wanted a simple way to avoid SQL injection attacks. I think I've settled on one simple rule:

"Never paste any variable into a query string."

That is much simpler than the "never paste user input into a query string" or the "always call the proper escape function for variables" methodology. I use the '?' and bind all variables.

Somethings come out in two lines (prepare,execute) instead of one (query), but overall I think the code is more legible without having to read through the concatenation, string delimiting, and escape functions.

comment

Browsers

Avoiding SQL Injection Attacks in PHP PDO