3

Im working with PDO for the first time and im wondering if the below looks safe, I've tried to read up on alternatives to mysql_real_escape and it seems like the 'prepare' method is sufficient enough security wise, can anyone clarify this for me? Still appears vulnerable...

$UID = $_GET['id'];

$sth = $conn->prepare("SELECT * FROM directory WHERE user_active != '' AND ID = :uid");
$sth->execute(array(':uid' => $UID));
Liam
  • 9,725
  • 39
  • 111
  • 209
  • See http://stackoverflow.com/questions/3143614/do-php-pdo-prepared-statments-need-to-be-escaped – noetix Oct 22 '12 at 22:40

1 Answers1

2

The prepare method is not only sufficient, it's preferred over mysql_real_escape().

Your code works, as $UID will be transmitted with a different protocol than the rest of the SQL statement. Since the database treats it differently, there's no need to escape.

SomeKittens
  • 38,868
  • 19
  • 114
  • 143