Why does this filter input?
Is the prepare method here designed to filter input? If you pass in something like "101; DROP TABLE products", what will happen? I'm a bit confused about what's going on here.
Here's the code again:
$results = $db->prepare('SELECT name, price, img, sku, paypal FROM products WHERE sku = ?'); $results->bindParam(1,$sku); $results->execute();
Zachary Green16,359 Points
It will escape any dangerous chars. Prepare will also quote your string to fight SQL injection. So now that statement is rendered safe. Later on you should check to see if SKU is int or string add another layer of protection.