phppdosql-injection

How does PHP PDO's prepared statements prevent sql injection? What are other benefits of using PDO? Does using PDO reduce efficiency?


I have been spotting the sentence "PHP PDO's prepared statements prevents SQL injection".

I have read this: Are PDO prepared statements sufficient to prevent SQL injection? But the data there is not completely clear.


Solution

  • Well, at second glance your question looks more complex to be answered with just one link

    How does php pdo's prepared statements prevent sql injection?

    How can prepared statements protect from SQL injection attacks?

    What are other pros/cons of using PDO?

    Most interesting question.
    A greatest PDO disadvantage is: it is peddled and propagated a silver bullet, another idol to worship.
    While without understanding it will do no good at all, like any other tool.
    PDO has some key features like

    Does using PDO reduce efficiency?

    Again, it is not PDO, but prepared statements that reduces efficiency. It depends on the network latency between the db server and your application but you may count it negligible for the most real world cases.