Escape arguments for PDO statements?

Question

New to PDO - do I need to escape arguments I'm passing into a PDO prepared statement (such as the following):

$_GET['name'] = "O'Brady";

$sth = $dbh->prepare("INSERT INTO users SET name = :name");
$sth->bindParam(':name', $_GET['name']);
$sth->execute();

score 11 · Accepted Answer · answered May 20 '10 at 14:30

11

No. Neither do you need any quotation marks around text strings. Just pass in the variables as they are and the MySQL driver will take care of the rest.

answered May 20 '10 at 14:30

Emil Vikström

90,431
16
141
175

This also what I have been looking for – Musa Mar 03 '13 at 07:38

score 2 · Answer 2 · answered May 20 '10 at 14:32

2

The PDO will build the query in a safe manner so you won't need to escape it.

answered May 20 '10 at 14:32

Jeremy L

7,686
4
29
36

Escape arguments for PDO statements?

2 Answers2

Linked