Is PDO Prepared Statements prevent sql injection 100%?

hello ,

i’m new to use pdo library for database managment … so i readed about Prepared Statements PDO::prepare … and i readed that it prevent sql injction … but some one told me that it’s don’t secure all times … so i must use my additional methods to prevent sql injection …

but i don’t know if his say is right or wrong … so told me plz :slight_smile: ??

SQL injection is where SQL is inserted into the data passed into a query and the system is tricked into treating it as a part of the query instead of as part of the data.

When the SQL and data are not jumbled together (eg. by using a prepare statement) then you can’t trick the system into thinking that the data is a part of the SQL because they are completely separate. Therefore SQL injection is completely impossible in that situation because there is no way to make the system think that the data is actually SQL because they are processed by different statements.

oooh thx alot mr felgall … your reply helped me very much :slight_smile:


Avenir … i readed the article . it’s very useful … but it’s puzzled me !! … now i don’t know if prepared statements are sufficient for preventing sql injections or no !! :blush:

logic_earth : i want use pdo with all my scripts … my scripts use offcurse quires and data which enter by user not by me… so what i do ?

same question here :wink:

If you are not building queries with user data then yes.
With prepared statements, the SQL and data are processed separately.