passing $_REQUEST in PDO, is bindValue secure enough?

Asked Jun 28 '13 at 09:15

Active Mar 12 '15 at 18:55

Viewed 563 times

I'm new in writing PDO codes, and trying to transfer my website codes from mysql to PDO. I read a lot of tutorials about binding values but all the values were taken from an array or stable ones, and also noticed that mysql_real_escape_string is replaced with quote in PDO.

now while I was rewriting a code from mysql to PDO it tried to bindvalue of $_REQUEST['id'] and the code returns a null value.

$cat_id=$DB->quote($_REQUEST['id']);
$sql_cat='select * from '.$prev.'team where id = ? ';
$re_cat=$DB->prepare($sql_cat);
$re_cat->bindValue(1, $cat_id);
$re_cat->execute();
$d_cat=$re_cat->fetch(PDO::FETCH_ASSOC);
$cat_name=$d_cat['title'];
$league = $d_cat['leagueID'];
echo $cat_name;

the question here is: if I remove the quote from the $_REQUEST and just bindValue, will that be secure enough from SQL Injection?

edited Mar 12 '15 at 18:55

Adrian Cid Almaguer

7,815
13
41
63

asked Jun 28 '13 at 09:15

user2053021

1

**Please** take a look at the "Related" column on the right ---> many thanks – Your Common Sense Jun 28 '13 at 09:17
possible duplicate of [Are PDO prepared statements sufficient to prevent SQL injection?](http://stackoverflow.com/questions/134099/are-pdo-prepared-statements-sufficient-to-prevent-sql-injection) – jacoz Jun 28 '13 at 09:18

passing $_REQUEST in PDO, is bindValue secure enough?

0 Answers0