To be protected against sql injection, you must use PDO's new of verifying values: binding parameters. This needs that your prepare statements instead of running them directly:
$q = $conn->prepare($sql); // the default way of PDO to manage errors is quite the same as `or die()` so no need for that
Change your where clause:
WHERE tbl_tracking.viewed = :who AND tbl_photos.default_photo IS NULL OR tbl_photos.default_photo = '1'
then bind the value to your statement and execute it:
$q->bindValue(':who',$who,PDO::PARAM_INT);
$q->execute();
or you can execute it directly with an array of values:
$q->execute(array(':who' => $who));
otherwise, I'm not very sure what your code should be doing, so I can't really tell if it will, but if your sql worked before using PDO, it should work now too.
For your code to be prone to sql injection, one of the values in your query must have a way to come from user-input, and it must be passed as-is to PDO's prepare()
. Since we use a parameter :who
instead of $who
, there's no way your sql will be prepared with dangerous values.