StackOverflow2013

Note that there are some explanatory texts on larger screens.

plurals

POIn PHP, how does PDO protect from SQL injections? How do prepared statements work?
text
Body
copied!<p>I understand the right way to protect a db from SQL injection is by using prepared statements. I would like to understand <strong>how</strong> prepared statements protect my db. </p> <p>For starters, are prepared statements the same thing as "parameterised queries"?</p> <p>As an example, I'm pasting below my code for the insertion of a new user in a user table. Is that secure? How does PDO work to make it secure? Does anything more needs to be done to secure the db from injection?</p> <p>In 'Class_DB.php':</p> <pre><code>class DB { private $dbHost; private $dbName; private $dbUser; private $dbPassword; function __construct($dbHost, $dbName, $dbUser, $dbPassword) { $this->dbHost=$dbHost; $this->dbName=$dbName; $this->dbUser=$dbUser; $this->dbPassword=$dbPassword; } function createConnexion() { return new PDO("mysql:host=$this->dbHost;dbName=$this->dbName", $this->dbUser, $this->dbPassword); } } </code></pre> <p>In 'DAO_User.php':</p> <pre><code>require_once('Class_DB.php'); class DAO_User { private $dbInstance; function __construct($dbInstance){ $this->dbInstance=$dbInstance; } function createUser($user){ $dbConnection=$this->dbInstance->createConnexion(); $query=$dbConnection->prepare("INSERT INTO users (userName, hashedPassword, userEmail) VALUES (?,?,?)"); $query->bindValue(1, $user->userName); $query->bindValue(2, $user->hashedPassword); $query->bindValue(3, $user->userEmail); $query->execute(); } } </code></pre> <p>Thanks,</p> <p>JDelage</p>

Querying!

Guidance

An individual column

Larger individual text columns get their own page to allow for proper reading.

SQuiL has stopped working due to an internal error.

If you are curious you may find further information in the browser console, which is accessible through the devtools (F12).

Reload