php - PDO and Escaping Input: Is this the safest way?


I wanting to check myself before I go live. I read so many different things on the internet but I want to know if this will absolutely protect my code for SQL Injection. If not, what do I need to add or take away?

$idtoapprove = mysql_real_escape_string($_POST['idtoapprove']);

$getcity = $conn->prepare('SELECT city, state FROM needs WHERE ID=:idtoapprove');
$getcity->bindParam(':idtoapprove', $idtoapprove);

$cityrow = $getcity->fetch();
$needcity = $cityrow['city'];
$needstate = $cityrow['state'];

echo "$needcity, $needstate";



No need formysql_real_escape_string here, actually, it's flat-out wrong (it's from a different, deprecated database library) and can damage your data. (Also, it would be ineffective here anyway -mysql_real_escape_string() is for escaping strings, it is useless for integers.)

The PDO prepared statement is enough.

People are also looking for solutions to the problem: Simulating "fake" directories using PHP, without .htaccess, mod_rewrite, or 404 redirects


Didn't find the answer?

Our community is visited by hundreds of web development professionals every day. Ask your question and get a quick answer for free.

Ask a Question

Write quick answer

Do you know the answer to this question? Write a quick response to it. With your help, we will make our community stronger.

Similar questions

Find the answer in similar questions on our website.