0

People tend to get religious about picking the PDO database API over mysqli. Often you find questions regarding mysqli answered with statements like 'Forget mysqli, use PDO. Its the safe way'. So I follow along, getting a grasp of this PDO concept, preparing statements and binding them etc.

But what is the big deal? Why are people making this effort to use there database by this means? How is this safeguarding your application against SQL injections?

Lee
  • 48
  • 7

1 Answers1

1

PDO isn't a safeguard against SQL injection. You can still write utterly dangerous injectable queries all you want in PDO, and PDO won't care.

What PDO does is provide TOOLS that allow you to write queries safely.

But don't go blame PDO if it providers a safe hammer, and then you go on using your forehead to drive in some nails. PDO did its job and provided the tools, you're the one with nail holes in your skull.

Marc B
  • 356,200
  • 43
  • 426
  • 500
  • I did not know this. Alright so this question should be rewritten... What tools is PDO providing to prevent SQL injection, that mysqli is not providing? – Lee May 12 '14 at 18:58
  • none. they both support placeholders, which is the go-to prevention defense mechanism. they also have the exactly same escape mechanism that old-school `mysql_real_escape_string()` provides for when you CAN'T use placeholders. – Marc B May 12 '14 at 19:19
  • +1 I tell people that PDO prevents SQL injection like a toothbrush prevents cavities. :) – Bill Karwin May 12 '14 at 19:41