0

I am using PDOs first time on my project and have some confusions in my mind and wanted to clarify:

  1. Everyone recommends PDOs because it prevents from SQL injection so

    • Do we need to apply other functions before making query like strip_tags OR they aren't necessary with PDOs?

  2. What is different betweeen :username and username?

    Example:

    $stmt = $db->prepare("SELECT id FROM USERS WHERE username=:username);
$stmt->bindParam(":username", $username);
$stmt->bindParam("username", $username);

  3. Does this prevent from SQL injection? PDO::PARAM_STR which is used as third parameter in bindParam statement

  4. Is it necessary to close connection by setting connection object to null in end? like

    $db = null;
Alena
  • 1,134
  • 6
  • 19
  • 45
  • 1. It depends - do you want to strip away html? You shouldn't *escape* the input though. 2. Although not documented, it's no difference when binding, but the colon is needed in the placeholder. 3. The prepare with placeholders in the query prevents sql injection, the last parameter there is the type of variable. 4. PHP closes the connection at the end of the script anyways, and it shouldn't be needed, but it doesn't do any harm either, as long as you don't need to use the connection after closing it. – Qirel Jul 11 '17 at 09:39
  • Pls do not ask multiple questions in a single post. Makes answering and accepting an answer a lot more difficult. – Shadow Jul 11 '17 at 09:40
  • Also, as you can see, all these questions have been asked and answered before here on SO. – Shadow Jul 11 '17 at 09:58
  • @Qirel thank you so much for your answer. And Shadow, I understand that and won't repeat this mistake again! :) – Alena Jul 12 '17 at 16:52

0 Answers0