Niel Archer wrote:
I prefer PHP Data Objects to
addslashes and mysql_real_escape_string

I prefer PDO myself.  However, it is not necessarily safer.  When using
prepared statements the parameters are automatically escaped similar to
mysql(i)_real_escape_string, if my reading of the documentation is

No, prepared statements are better than that. The database knows that what you pass in can only be data, and you can't get out of that "parameter" thus you're safe from sql-injection. (I'm trying to find a decent doc that explains this but can't find anything).

But as far as I can tell no escaping is performed on PDO::query
or PDO::exec other than what you do yourself, so you have the same risks
that need to be addressed.

Correct. See PDO::Quote (

Postgresql & php tutorials

PHP Database Mailing List (
To unsubscribe, visit:

Reply via email to