Search code examples
phpmysqlpdocode-injection

Should I use addslashes function when I using PDO?

I heard that PDO defends Injection Attack automatically. So, I can make a query without ' mark.

Then, should I use addslashes function when I using PDO?

I means...

<?php
    $s = $d->prepare("SELECT * FROM `table` WHERE `no`=:n");
    $s->bindParam(":n", $data);
    $data = $_GET["param"];
    $s->execute();
?>

or

<?php
    $s = $d->prepare("SELECT * FROM `table` WHERE `no`=:n");
    $s->bindParam(":n", $data);
    $data = addslashes($_GET["param"]);
    $s->execute();
?>
Solution

  • No you don't have to use it. When you're using prepared statements like bindParam the DB engine automatically do it for you.