Is this code using PDO secure?

Question

I am new to PDO. As I heard PDO can prevent SQL injection attack.

Here's what I have written:

$db = new PDO('mysql:host=192.168.57.36; dbname=somedb; charset=UTF8', 'user1', 'pass1');
$sql = "SELECT * FROM table1 WHERE id = ?";
$stmt = $db->prepare($sql);
$stmt->execute(array($tid));

Is it a secure code ? I guess prepared should do some securing acts but the variable is passed to query after it.

Shoud I use addParam before execution method?

Thank you.

For your secure code question: http://stackoverflow.com/questions/134099/are-pdo-prepared-statements-sufficient-to-prevent-sql-injection — S.Visser, Apr 17 '13 at 09:03

score 3 · Accepted Answer · edited May 23 '17 at 12:22

3

Shoud I use addParam before execution method?

No.

Passing a variable into execute does pretty the same.

There could be other issues though, you can read on them here

edited May 23 '17 at 12:22

Community

1
1

answered Apr 17 '13 at 09:00

Your Common Sense

156,878
40
214
345

Is this code using PDO secure?

1 Answers1