问题
$stmt = $conn->prepare('SELECT * FROM users WHERE user_id = :user_id');
$stmt->execute(array(':user_id' => $_GET['user_id']));
$result = $stmt->fetchAll(PDO::FETCH_OBJ);
I'm using PDO like that, do I need to sanitise GET parameter?
I know if I do $stmt->bindParam(':user_id', $_GET['user_id'], PDO::PARAM_INT); than it is not a problem. But is my way safe?
回答1:
Yes, it's safe. The only differences between execute and bind* are:
executeaccepts several parameters at once, while you have tobind*each one individuallybind*allows you to specify the parameter type, whileexecutebinds everything as strings
Passing parameters to execute is mostly a convenience shorthand, it's still safe.
来源:https://stackoverflow.com/questions/21110329/using-pdo-without-binding