I'm starting fresh here and reading a lot of posts on injection. This one is excellent but it's 8 years old. Is it still valid? php/pdo/mysql is changing all the time. Thanks.
Are PDO prepared statements sufficient to prevent SQL injection?
Asked
Active
Viewed 75 times
-4
-
Yes. PDO and mysqli_* functions are still your best bet for avoiding sql injection attacks. – JNevill Jul 26 '17 at 19:39
-
@JNevill that is, `mysqli_*` _with prepared statements (when necessary)_ :P – GrumpyCrouton Jul 26 '17 at 19:41
1 Answers
1
The highest-rated answers there still very much apply. In general, however, beware, of anyone who tells you that a certain method of preventing a certain security issue is a 100% cure. In this case, especially be careful with dynamic SQL. I would actually avoid using dynamic queries altogether if you're just getting started.
Kai
- 2,529
- 1
- 15
- 24