Are PDO prepared statements sufficient to prevent SQL injection?
Let’s say I have code like this: $dbh = new PDO(“blahblah”); $stmt = $dbh->prepare(‘SELECT * FROM users where username = :username’); $stmt->execute( array(‘:username’ => $_REQUEST[‘username’]) ); The PDO documentation says: The parameters to prepared statements don’t need to be quoted; the driver handles it for you. Is that truly all I need to do to … Read more
