1

I'm relatively new to PDO and i have written the following block of code:

$id = $_GET['id'];

$db = new PDO('mysql:host=localhost;dbname=testdb;charset=utf8', 'username', 'password');

foreach($db->query("SELECT id,name FROM names where id = '$id' ") as $row) {
    echo "<p>", ($row['name']), "<br>";
}

My uncertainties are:

  1. is it safe to OMIT mysql_real_escape_string in the first line since i'm using PDO
  2. is it safe to run the query as above without using bind values.

Thanks

Improve this question
3
  • 5
    mysql_real_escape_string has no connection to PDO; don't use. it. Re 2. Nope, it's not safe Commented Jul 23, 2013 at 15:16
  • @Pekka, why not leave an answer? Commented Jul 23, 2013 at 15:23
  • 1
    @JasonMcCreary because Pekka has too much reps.... leaving something for newbies like us lol. Commented Jul 23, 2013 at 15:29

2 Answers 2

Reset to default
4

No, this is not safe. PDO doesn't magically escape your queries for you. Your code, as shown, is wide open to SQL injection.

If you are using variables in your query, don't use ->query. Do not try to escape them yourself. You should be using prepared statements. That's the way to be safe.

$stmt = $db->prepare('SELECT id,name FROM names where id = ?');
if($stmt->execute(array($id))){
    while($row = $stmt->fetch(PDO::FETCH_ASSOC)){
        echo "<p>", ($row['name']), "<br>";
    }
}

So, yes, you need to use bindParam, or execute, as shown.

P.S. mysql_real_escape_string is only for the (deprecated) mysql_ extension. It doesn't work with PDO.

Improve this answer
Sign up to request clarification or add additional context in comments.

2 Comments

I will mark this as the answer, but do you mind clarifying 2 things: 1. Is there a way to make your code a little simpler 2. Can this method also be used where there are no variables involved? Thanks.
How much simpler do you want it? What's complicated about it? If there are no variables to bind, then it's perfectly OK to use ->query().
2

to answer your questions,

  1. it is safe to omit mysql_real_escape_string as long as you use bindings (well.... you can't use mysql_real_escape_string with PDO anyway)

  2. Nope. It is absolutely unsafe. doesn't matter whether you are using PDO or not.

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.