views:

12

answers:

0
public function receiveDomainNames($keyword)
{
  try
  {
    $stmt = $this->_dbh->prepare("SELECT d.someField FROM domain d WHERE d.someField LIKE :keyword");
    $someField = '%'.$keyword.'%';

Do we need to escape $keyword on this case?

On php manual we can read:

If an application exclusively uses prepared statements, the developer can be sure that no SQL injection will occur (however, if other portions of the query are being built up with unescaped input, SQL injection is still possible).

Is this the case on your opinion, are, on this case, build up unescaped input (no prior treatment has been made to our $keyword parameter) ?

Thanks in advance, MEM