Certain data types, I.E. amounts or perhaps a table title can't be added like a parameter with PDO, because it adds single quotes around them.
After I add them (the variables) by hand, say something similar to this:
$statement = $dbh->prepare("INSERT INTO $TABLE_NAME (id, foo, timestamp) VALUES (1234, ?, 4567890))"); $statement->execute(Array($foo));
My real question is: Does prepare() escape or correctly handle ALL data within? Or just data that's bound by execute /parameter bind? my variable placing into the
prepare() statement is rare, however i really need to know for security when writing these.
My real question is: Does prepare() escape or correctly handle ALL data within? Or simply data that's binded by execute /parameter bind?
While there may be safety measures to avoid unescaped data from entering the machine, you cannot assume whatever you put in the query directly will get steered clear of correctly.
Always bind parameters for all incoming data.
No, prepare only escapes data that utilizes placeholders.
No AFAIK $-expansion is handled directly by PHP, and
"foo $bar baz" is the same as
"foo " . $bar . " baz".