https://stackoverflow.com/questions/19827884
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
Russian- PDO alone is not sufficient. Prepared statements, or escaping are the proper methods, which ever access methods you use. See this question
- BBCode is not HTML. If you're using BBCode you don't need
htmlspecialchars
Questions about data storage / MYSQL
-
17-07-2022 - |
Question
1. filters
I use PDO and wanted to know if it is still necessary potential escape characters like ('or'' =')
Already read a lot and some say that PDO is sufficient to prevent SQL Injection
2. BBCode
In a text field htmlspecialchars is the best option for not displaying html formatting?
Thanks
Solution
OTHER TIPS
if it is still necessary potential escape characters like ('or'' =')
As a matter of fact, it was never any use for escaping "dangerous" characters like 'or' or =.
PDO is sufficient to prevent SQL Injection
PDO doesn't do any protection just by itself. it's prepared statement that uses a placeholder for the every dynamical data in the query that does it safe.
For the cases not covered by prepared statements offered by PDO, either use safeMysql or format and whitelist your query parts manually.
Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
