How does PHP PDO's prepared statements prevent sql injection? What are other benefits of using PDO? Does using PDO reduce efficiency?

Question

I have been spotting the sentence PHP PDO\'s prepared statements prevents SQL injection.

• How does php PDO\'s(PDO\'s prepared sta

Answer 1

1. The primary method PDO uses to prevent against SQL injection is preparing statements with parameters in the query and supplying values when the query is executed. PDO will automatically take care of escaping quotes and other characters in the values. As long as you do this in every query, and not put values directly in the query, you are protected against SQL injection. The answers in the question you linked to show how this is done.

2. One of the main advantages of using PDO, or any DBA, is that PDO encapsulates the low-level communication to the actual DB, leaving you to only deal with the actual query logic. It lets you change which database you're using (MySQL, Postgre, etc.) with minimal effort. It also makes it easier to work with master/slave setups and read replicas.

3. In most cases using PDO will only be marginally slower than direct function calls. In any case, the slight decrease in performance is well worth it.