Welcome to the Treehouse Community

Want to collaborate on code errors? Have bugs you need feedback on? Looking for an extra set of eyes on your latest project? Get support with fellow developers, designers, and programmers of all backgrounds and skill levels here with the Treehouse Community! While you're at it, check out some resources Treehouse students have shared here.

Looking to learn something new?

Treehouse offers a seven day free trial for new students. Get access to thousands of hours of content and join thousands of Treehouse students and alumni in the community today.

Start your free trial

PHP

Posted by Kevin Narain
Kevin Narain
11,379 Points

How does PDO::prepare protect your application from SQL Injection?

Hi! I know that PDO:prepare protects your application from a SQL Injection, but now I'm wondering how it works.

https://www.php.net/manual/en/pdo.prepare.php

2 Answers

Jennifer Nordell
seal-mask
STAFF
.a{fill-rule:evenodd;}techdegree
Jennifer Nordell
Treehouse Teacher
Jennifer Nordell
.a{fill-rule:evenodd;}techdegree
Jennifer Nordell
Treehouse Teacher

Hi there, Kevin Narain! The idea here is that it is "escaping the string". Some characters have special meaning to databases. So PHP is going through the string it's supposed to bind to the values in the ? and removing special characters that could make that executable code on the database.

I might suggest this stack overflow answer which gives some details.

Also, PDO is not the only thing known for "autoescaping". Most templating languages like Twig, Blade, and Django templates also use this to help protect your site from nefarious input :smiley:

Hope this helps! :sparkles:

Kevin Narain
Kevin Narain
11,379 Points
Kevin Narain
Kevin Narain
11,379 Points

Thanks for your answer as always, Jennifer ^-^.