TalkPHP - View Single Post

Killswitch · 11-22-2009, 06:58 AM

I have a quick question about using PDO and escaping vars. I am new to PDO, so excuse me if this is kinda noobish of me...

I need to run an insert and I checked the manuals PDO->quote for escaping data in a query. It recommended using a prepared statement and binding params, so I am trying this method instead.

I have my prepare statement, params bound, but do I still need to escape the bound params now?

The vars are coming from a posted form. I *DID* have it setup for the I was manually assigning vars from the $_POST, with $db->quote, trim() and all that goodness, but then I remembered extract(), which quickly gave me my vars.

Just curious and was looking for a little insight to using PDO.

11-22-2009, 06:58 AM	#1 (permalink)
Killswitch The Contributor Join Date: Feb 2007 Posts: 64 Thanks: 9	Escaping in PDO I have a quick question about using PDO and escaping vars. I am new to PDO, so excuse me if this is kinda noobish of me... I need to run an insert and I checked the manuals PDO->quote for escaping data in a query. It recommended using a prepared statement and binding params, so I am trying this method instead. I have my prepare statement, params bound, but do I still need to escape the bound params now? The vars are coming from a posted form. I DID have it setup for the I was manually assigning vars from the $_POST, with $db->quote, trim() and all that goodness, but then I remembered extract(), which quickly gave me my vars. Just curious and was looking for a little insight to using PDO.