class _display
{
private function threads($id){
$this->dbh->prepare("select threads where id = :id");
$this->dbh->execute(array(':id' => $id));
$row = $this->dbh->fetch();
}
}
$id = $_GET['id'];
Do I need to do anything to $id?
TL;DR: No, parameters in prepared statements do not need to be escaped.
The whole issue of escaping SQL queries came about because the ancient mysql_* library was only passing in the whole query as a string, without a way of specifying "this is syntax" and "this is data" - that was implicit from the syntax, and it was the responsibility of the caller to pass in a valid statement; that also allowed for malformed/malicious data to be treated as syntax, resulting in SQL injections etc.
Prepared statements are taking a different approach: you are sending the query with placeholders, and you pass in the data separately. Because of this, it is not needed to escape the data, as it's already separated from the syntax. (Of course, prepared statements are not a silver bullet, but using them effectively closes one major class of vulnerabilities)
You can bind the value of $id
$get=$this->dbh->prepare("select threads where id = ?");
$get->bindValue(1,$id,PDO::PARAM_INT);
$data = $get->execute();
$data=$get->fetch(PDO::FETCH_ASSOC);
This will reduce SQL injection chance as we bind id by integer and this is best practice .