PDO SQL-Injection Safety

Question

What is the save way to aviod SQL Injection.

I saw a lot of ways to build up the query my question is what is the safest way to avoid SQL-Injection.

INSERT 1

$st = $this->db->prepare("SELECT * FROM tbl WHERE name=? AND pass=?");
$st->bindParam(1, $name);
$st->bindParam(2, $pass);
$st->execute();

INSERT 2

$stmt = $this->db->prepare("INSERT INTO tbl VALUES(:id, :name)");
$stmt->bindValue(':id', $id);
$stmt->bindValue(':name', $name);
$stmt->execute();

Update 1

$st1 = $this->db->prepare("UPDATE tbl SET name=? WHERE name=?");
$st1->bindParam(1, $newname);
$st1->bindParam(2, $name);
$st1->execute();

SELECT

$st = $this->db->prepare("SELECT * FROM tbl WHERE name=?");
$st->bindParam(1, $name);
$st->execute();

Is it safer to use bindParam(1, $name) or bindParam(:id, $name) to avoid the SQL-Injections in the database?

There's no difference between enumerated `?` and named `:key` placeholders. Albeit not security-related either, `->bindParam` has a different purpose than `->bindValue`. — mario, May 28 '14 at 01:07
Voted to reopen. This question is specific and is not a duplicate question of the classic "How to prevent SQL injection in PHP?" that everyone links to. @mario, I encourage you to post your comment as an answer. — Bill Karwin, May 28 '14 at 01:18

score 3 · Accepted Answer · answered May 28 '14 at 01:24

3

You will avoid SQL injection both ways, there is no difference. Choose the one that you like more.

answered May 28 '14 at 01:24

Sven

1 Answers1