Is sanitizing data + parameterisation in PDO oveekill?

 

This question already has an answer here:

  • Are PDO prepared statements sufficient to prevent SQL injection? 7 answers

    • There are three possible answers to this question.

  • If your concern is SQL injection only, and whole SQL query is hardcoded in PHP script (like in your example), then nothing but prepared statement is needed. And thus sanitize_string is overkill and rather irrelevant.
  • If your concern is SQL injection only, and some parts of SQL are assembled dynamically, you have to protect these parts. But protection should be specific for these parts, which makes sanitize_string rather useless.
  • If your concern is not only SQL injection but whatever else security or usability issues, then you may want to sanitize or validate your data according to these concerns. One of these cases might utilize sanitize_string as well.
    • 链接地址: http://www.djcxy.com/p/93752.html

    上一篇: 准备好的语句和SQL注入

    下一篇: 正在消毒PDO oveekill中的数据+参数化?