Do I need to escape my variables when using PDO bindParam?

Question

I'm writing the following code and want to know if it's still necessary to escape my variables when using bindParam().

$usernameCheckQuery = $db->getConnection()->prepare("SELECT username FROM users WHERE username = :username");
$usernameCheckQuery->bindParam(":username", $data['username'], PDO::PARAM_STR);
$usernameCheckQuery->execute();

I've read on some places that it's not necessary and others that say it is. Thanks for any help.

http://stackoverflow.com/questions/3143614/do-php-pdo-prepared-statments-need-to-be-escaped — Suleiman, Jan 29 '16 at 12:25

score 2 · Answer 1 · edited May 23 '17 at 11:44

2

pdo is doing the escaping, so you do not need to. - There may be other types of verification that you should do, but that depends on your code. For a longer answer, see Are PDO prepared statements sufficient to prevent SQL injection?

edited May 23 '17 at 11:44

Community

1
1

answered Jan 29 '16 at 12:26

MortenSickel

2,118
4
26
44

Do I need to escape my variables when using PDO bindParam?

1 Answers1