Always bind our SQL statements?

Asked Jul 10 '14 at 12:05

Active Jul 10 '14 at 12:05

Viewed 38 times

I have been researching into PDO's bindValue(). I know that preparing my SQL statements with PDO is keeping SQL injections from happening.

$stmt = $dbh->prepare('SELECT * FROM articles WHERE id = :id AND title = :title');
$stmt->bindValue(':id', PDO::PARAM_INT);
$stmt->bindValue(':title', PDO::PARAM_STR);
$stmt->execute();

By binding the ID as a number, and the Title was a string, we can limit the damage done when someone tries to do an SQL injection within the code.

Should we always bind our values with a PDO::PARAM_ so we can limit what can be pulled from the database in an SQL injection? Does this add more security with PDO when doing our bindValue()?

asked Jul 10 '14 at 12:05

Samad

The types are more to keep you from shooting yourself on the knee, rather than for security. – Royal Bg Jul 10 '14 at 12:09
1

your `bindValue` example is wrong – meda Jul 10 '14 at 13:42
possible duplicate of [Are PDO prepared statements sufficient to prevent SQL injection?](http://stackoverflow.com/questions/134099/are-pdo-prepared-statements-sufficient-to-prevent-sql-injection) – hjpotter92 Jul 10 '14 at 17:02

Always bind our SQL statements?

0 Answers0