Certain data types, I.E. numbers or a table name cannot be added as a parameter with PDO, as it adds single quotes around them.When I add them (the variables) manually, say something like this:\[code\] $statement = $dbh->prepare("INSERT INTO $TABLE_NAME (id, foo, timestamp) VALUES (1234, ?, 4567890))"); $statement->execute(Array($foo));\[/code\]My question is: Does prepare() escape or properly handle ALL data within? Or just data that is bound by execute /parameter bind? my variable placing directly into the \[code\]prepare()\[/code\] statement is rare, but I really wish to know for security when writing these.
PDO: does prepare() escape all data, even if not bound?
- Thread starter samjk
- Start date