php - PDO and Escaping Input: Is this the safest way?
I wanting to check myself before I go live. I read so many different things on the internet but I want to know if this will absolutely protect my code for SQL Injection. If not, what do I need to add or take away?
$idtoapprove = mysql_real_escape_string($_POST['idtoapprove']); $getcity = $conn->prepare('SELECT city, state FROM needs WHERE ID=:idtoapprove'); $getcity->bindParam(':idtoapprove', $idtoapprove); $getcity->execute(); $cityrow = $getcity->fetch(); $needcity = $cityrow['city']; $needstate = $cityrow['state']; echo "$needcity, $needstate";
No need for
mysql_real_escape_stringhere, actually, it's flat-out wrong (it's from a different, deprecated database library) and can damage your data. (Also, it would be ineffective here anyway -
mysql_real_escape_string()is for escaping strings, it is useless for integers.)
The PDO prepared statement is enough.