jmercier jmercier - 1 year ago 147
MySQL Question

Is it secure to Store value in var for PDO PHP?

I wonder if it secure to store value for a prepared query like that :

$notGood = 'yes';
$req = $pdo->prepare('SELECT id_user, name_user, tel_user, a_valid_user FROM user WHERE a_valid_user = ?');
$req->execute([$notGood];


I do not know if it's the right way to do when you know in advance the value.
Thanks for your advices

Answer Source

Yes, as long as your variable is represented by a placeholder (?) in the query, it is safe.

In case you are curious whether it is secure or not to send a variable into execute, it's just a syntax sugar for bindValue(), which makes PDO extremely convenient in use. So I recommend to use it whenever possible.