In PHP, how does PDO protect from SQL injections? How do prepared statements work?

Question

I understand the right way to protect a db from SQL injection is by using prepared statements. I would like to understand how prepared statements protect m

Answer 1

Here's my somewhat limited view on the matter...

A prepared statement is compiled on the DB server with placeholders for variable input.

When you bind a parameter, you're telling the DB which values to use when you execute the query. It will then pass the value to the compiled statement.

The difference between binding parameters and plain old string injection is that with the former, the value is not interpolated but rather assigned. During execution, the DBMS hits a placeholder and requests the value to use. This way, there's no chance of quote characters or other nasties sneaking their way into the actual statement.