Search code examples
phppdosql-injection

When should one use PDO::query?


I have just learned that in order to avoid SQL injections it's better to use the prepare/execute duo:

$pdo = new PDO ('mysql:host=something;port=something dbname=something','name','pswd');
$sql = "SELECT name FROM users WHERE email = :em AND password = :pw";
$stmt = $pdo -> prepare($sql);
$stmt -> execute (array());

instead of the using:

$stmt = $pdo -> query($sql);

the question is:

In what situations does anybody use query instead, since we have a pretty quick way to secure ourselves from SQL injections, does anybody use the query method anyway? And if so, why?


Solution

  • Virtually never; you will know if you are in a situation you cannot use it.

    Note that even if you are generating queries on the fly, you should still generate the string with the placeholders and the set of arguments independently of each other.