I'm relatively new to PDO and i have written the following block of code:
$id = $_GET['id'];
$db = new PDO('mysql:host=localhost;dbname=testdb;charset=utf8', 'username', 'password');
foreach($db->query("SELECT id,name FROM names where id = '$id' ") as $row) {
echo "<p>", ($row['name']), "<br>";
}
My uncertainties are:
Thanks
No, this is not safe. PDO doesn't magically escape your queries for you. Your code, as shown, is wide open to SQL injection.
If you are using variables in your query, don't use ->query. Do not try to escape them yourself. You should be using prepared statements. That's the way to be safe.
$stmt = $db->prepare('SELECT id,name FROM names where id = ?');
if($stmt->execute(array($id))){
while($row = $stmt->fetch(PDO::FETCH_ASSOC)){
echo "<p>", ($row['name']), "<br>";
}
}
So, yes, you need to use bindParam, or execute, as shown.
P.S. mysql_real_escape_string is only for the (deprecated) mysql_ extension. It doesn't work with PDO.
to answer your questions,
it is safe to omit mysql_real_escape_string as long as you use bindings (well.... you can't use mysql_real_escape_string with PDO anyway)
Nope. It is absolutely unsafe. doesn't matter whether you are using PDO or not.