Do PHP PDO prepared statements need to be escaped?

后端 未结 5 653
Happy的楠姐
Happy的楠姐 2020-11-29 06:25

On the PDO::Prepare page it states,

\"and helps to prevent SQL injection attacks by eliminating the need to manually quote the parameters\"

5条回答
  •  既然无缘
    2020-11-29 07:16

    Yes and no:

    • Literals which you embed into the statement string need to be escaped as normal.
    • Values which you bind to the prepared statement are handled by the library.

提交回复
热议问题