Pdo injection prevention question: should we use quotation marks or do not use quotation marks? At last, this post was edited by sky94132003 from 2014-08-2706: 07: 37. The anti-injection php version is & nbsp; 5.4.28 is it safe to use preprocessing for all SQL statements in MYSQL? I heard that some people prefer to use & nbsp; PDO: quote & nbs pdo anti-injection. do you want to use quotation marks or not to use them?
This post was last edited by sky94132003 at 06:07:37
PDO anti-injection
Php version 5.4.28
It uses MYSQL
All SQL statements have been preprocessed.
Is it safe enough?
I heard that some people prefer to use PDO: quote to add single quotation marks to all fields.
Are some old PHP versions required?
Is this required only when preprocessing is not performed?
The following are common code modes:
Is it enough for anti-SQL injection?
Could you tell me what needs to be improved?
$add_title="INSERT INTO `topic_title` (`id`,`title_name`,`typeid`) VALUES (NULL,:title_name,:typeid)";
$stmt = $pdo->prepare($add_title);
$stmt->bindParam(':title_name',$title_name);
$stmt->bindParam(':typeid',$typeid);
$stmt->execute();
------ Solution --------------------
Yes, in terms of the current knowledge scope: Enough
------ Solution --------------------
Enough, prepare has done the put injection processing.
------ Solution --------------------
Security is sufficient.
