Possible Duplicate:
How prepared statements can protect from SQL injection attacks?
If I'm using $_GET with PDO do I still need to escape it? My understanding is that this is immune to SQL injection, however I still feel uneasy about not escaping it. So could someone please look at this little block of code and tell me if it is secure?
<?php
$hostname = 'localhost';
$username = 'root';
$password = 'root';
$database = 'database';
try {
$dbh = new PDO("mysql:host=$hostname;dbname=$database", $username, $password);
$dbh->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
$stmt = $dbh->prepare("SELECT * FROM comments WHERE pid = :pid");
$pid = $_GET['pid'];
$stmt->bindParam(':pid', $pid, PDO::PARAM_STR);
$stmt->execute();
$result = $stmt->fetchAll();
}
catch(PDOException $e)
{
echo $e->getMessage();
}
$stmt->execute();
echo $stmt->rowCount();
$dbh = null;
?>
Again, it's the $_GET I'm concerned about. Any help is appreciated, thank you.
Yes, the prepared statement feature does what it says. But since you asked, let's be clear that it's not the end of the story. I'm looking at the OWASP Top Ten Application Security Risks 2010.
For example: