Security question: prepare statements
Closed this issue · 2 comments
Hello! It's me again. I just watched through the db class and there appeared a question: why don't you use prepare statements? As i have read, from the posts on the internet, they say:
The reason we must use PDOStatement::prepare() and bound variables for user data is to prevent SQL injection attacks.
So, as i understand prepare statements need to be made for update and insert methods. Or i don't know something?
Here is a class that i made some years ago, there are already made prepare statements, you can use ideas from there to implement this in your class:
go to the page
Hi @nikiedev ,
We use escape method in PDOx. This method calls quote method in PDO class. So, we're filtering the datas to be able to protect security problems like SQL injection. We could use prepare method, but we didn't. Now, We don't need this methods but if we need to this changes, we can make enhancement on the library.
Thanks.