Question

I'm new in writing PDO codes, and trying to transfer my website codes from mysql to PDO. I read a lot of tutorials about binding values but all the values were taken from an array or stable ones, and also noticed that mysql_real_escape_string is replaced with quote in PDO.

now while I was rewriting a code from mysql to PDO it tried to bindvalue of $_REQUEST['id'] and the code returns a null value.

$cat_id=$DB->quote($_REQUEST['id']);
$sql_cat='select * from '.$prev.'team where id = ? ';
$re_cat=$DB->prepare($sql_cat);
$re_cat->bindValue(1, $cat_id);
$re_cat->execute();
$d_cat=$re_cat->fetch(PDO::FETCH_ASSOC);
$cat_name=$d_cat['title'];
$league = $d_cat['leagueID'];
echo $cat_name;

the question here is: if I remove the quote from the $_REQUEST and just bindValue, will that be secure enough from SQL Injection?

No correct solution

Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top