PDO execute($input_parameter) protects from sql injections as bindParam/bindValue?

Question

Does execute($input_parameter) protect from sql injections just like bindParam/bindValue?

If the answer is yes, bindParam()/bindValue

Answer 1

As far as execute($input_parameters) being as safe as separate bindParam/bindValue/execute steps, the answer would appear to be basically, yes.

However, you might still need to take further measures depending on how you constructed the query string that you pass to your PDO::prepare call. It is not always possible to parameter-ize everything in the prepared query string. For example, you can't use a parameter for a table or column name. If you allow user data or any external data into that query string you must still sanitize that data before passing the string to prepare. Refer to these stackoverflow questions for more details:

• how safe are PDO prepared statements
• Are PDO prepared statements sufficient to prevent SQL injection?

In general you should be filtering all input data anyway, so if you wanted to be extra safe you could sanitize any input data that is destined for SQL-type stuff using the filters appropriate for your needs, or even writing a FILTER_CALLBACK custom function if you wish. In the case of table or column names coming from user-provided data, a common validation technique is to check the values against arrays of allowable names.

Hope this helps. Good luck. Stay safe! ;)

Answer 2

Yes, it does the same thing. I cannot say that it is invulnerable, because the underlying SQL engine could itself be vulnerable. But that really isn't in your hands anymore.

So for all practical reasons, yes, its safe.

EDIT: Look at the PHP Documentation (1st and second example). One is with bindParam() and the other uses execute().