Correct way to sanitize input in MySQL using PDO

Question

so I had a friend of mine try to run a SQLinjection on my site and he managed to get into it using the code underneath. How can I prevent this? I have read something about s

Answer 1

Don't sanitize input. Just make sure that you really write to the database what ever data is provided (i.e. protect against SQL injection) and then escape your output.

To protect against SQL injection, use bound parameters. To escape your output, use htmlspecialchars on web pages and any other encoding appropriate given the medium you are outputting to.

Just remember that you have to do both of the above. If you only protect against SQL injection attacks, you'll still leave your site wide open to XSS attacks.