PDO prepared statements [closed]

问题

As it currently stands, this question is not a good fit for our Q&A format. We expect answers to be supported by facts, references, or expertise, but this question will likely solicit debate, arguments, polling, or extended discussion. If you feel that this question can be improved and possibly reopened, visit the help center for guidance.

Closed 6 years ago.

I know that PDO prepared statements should be used to avoid SQL injection. Must it always have this format:

$stmt = $db->prepare('SELECT * FROM table where id = :id');
$stmt->execute( array(':id' => $_GET['id']) );

or will any of the following formats negate SQL injection too?

VERSION 1

$queryString = "SELECT * FROM table WHERE id = ".$_GET['id'];
$stmt= $db->prepare($queryString);  
$stmt->execute();
$row = $stmt->fetchAll(PDO::FETCH_ASSOC);

VERSION 2

$stmt = $db->query("SELECT * FROM table WHERE id = ".$_GET['id']);
$row = $stmt->fetchAll(PDO::FETCH_ASSOC);

回答1:

You have to bind your variables like you do in your first code. The Version 1 and Version 2 codes are both INSECURE.

来源：https://stackoverflow.com/questions/17076202/pdo-prepared-statements