YouHoGeon YouHoGeon - 5 months ago 21
SQL Question

Should I use addslashes function when I using PDO?

I heard that PDO defends Injection Attack automatically.
So, I can make a query without ' mark.

Then, should I use addslashes function when I using PDO?

I means...

<?php
$s = $d->prepare("SELECT * FROM `table` WHERE `no`=:n");
$s->bindParam(":n", $data);
$data = $_GET["param"];
$s->execute();
?>


or

<?php
$s = $d->prepare("SELECT * FROM `table` WHERE `no`=:n");
$s->bindParam(":n", $data);
$data = addslashes($_GET["param"]);
$s->execute();
?>

Answer

No you don't have to use it. When you're using prepared statements like bindParam the DB engine automatically do it for you.