Single Quote Escape in PDO Prepared Statement Parameters

So I understand PDO Prepared Statements should protect from SQL injection and ' escapes. But when I attempted the following...

if ($_SERVER["REQUEST_METHOD"] == "POST" && isset($_POST["id"]))
{   
    $id = $_POST["id"]; 
    //$id = "2' AND name='Entry2";
    $someinfo = "updated";

    ...DB Stuff...

    $conn = new PDO("mysql:host=$servername;dbname=$dbname", $username, $dbpassword);

    $stmt = $conn->prepare("UPDATE testdb SET info=:someinfo WHERE id=:id");

    $stmt->bindParam(':id', $id);
    $stmt->bindParam(':someinfo', $someinfo);
    $stmt->execute();

    $conn = null;

    exit();
}

Then the row with id=2 and name=entry2 would be updated. Now it doesn't seem like this can be used to escape into other SQL queries, and I assume I can take precautions to ensure this kind of escape can't really do damage. But I wanted to be sure that there wasn't some other way to prevent ' escapes making unexpected changes to SQL query parameters. (Worth noting, I tried something similar in SQLi and got pretty much the same result.)

Is there something I'm missing? Or is this just the way Prepared Statements work.

---

After looking around some more, this behavior was eloquently explained/solved for me here: https://phpdelusions.net/pdo#comment-277

It turns out it's not escaping the string, but instead truncating input after the integer which just made it appear to escape the string. I was able to confirm this upon modifying the code.

链接地址: http://www.djcxy.com/p/93802.html

上一篇: 什么是SQL注入？

下一篇: 在PDO准备语句参数中单引号退出