Can this prepared statement prevent SQL injection?

This question already has an answer here:

Are PDO prepared statements sufficient to prevent SQL injection? 7 answers

---

Yes it will prevent SQL injection because

Prepared statements uses bound parameters.

Prepared Statements do not combine variables with SQL strings, so it is not possible for an attacker to modify the SQL statement.

Prepared Statements combine the variable with the compiled SQL statement, this means that the SQL and the variables are sent separately and the variables are just interpreted as strings, not part of the SQL statement.

链接地址: http://www.djcxy.com/p/93748.html

上一篇: 使用准备的语句

下一篇: 这个准备语句可以防止SQL注入吗？