0

I guess the easiest way to prevent sql injection on PDO::Query which take arguments from the user is to use PDO::prepare and PDO::execute. However in my case I have an insert statement which takes a param from user. For this purpose I'm using PDO::exec. Below is not the exact code.

$db = new PDO("Connection String to connect to MSSQL");
$rowsAffected = $db->exec("Insert into MyTable (UserParam) Values($userParam)");

How can I prevent an sql injection on this?

pravin
  • 1,106
  • 1
  • 18
  • 27
  • 2
    you can use prepare with insert statements as well. You could use `PDO::quote` for this, but even [the documentation](http://php.net/manual/en/pdo.quote.php) advises to use prepared statements instead. – Gerald Schneider Jul 28 '14 at 14:21
  • 3
    Don't use `exec()` here. `prepare()/execute()` the INSERT statement with a paramter for `:userParam`. – Michael Berkowski Jul 28 '14 at 14:23

0 Answers0