tags:

views:

12

answers:

0
Q: 

PDO prepare statements: Do we need to escape? 

public function receiveDomainNames($keyword)
{
  try
  {
    $stmt = $this->_dbh->prepare("SELECT d.someField FROM domain d WHERE d.someField LIKE :keyword");
    $someField = '%'.$keyword.'%';

Do we need to escape $keyword on this case?

On php manual we can read:

If an application exclusively uses prepared statements, the developer can be sure that no SQL injection will occur (however, if other portions of the query are being built up with unescaped input, SQL injection is still possible).

Is this the case on your opinion, are, on this case, build up unescaped input (no prior treatment has been made to our $keyword parameter) ?

Thanks in advance, MEM

related questions

How do I tell Apache which PHP to use?
PDO MySQL Driver on Mac
Named parameters, caching and PDO
How can I convert all values of an array to floats in PHP?
How can I implement commit/rollback for MySQL in PHP?
How do detect that transaction has already been started?
List of PDOStatement::bindParam data_type parameters
Is it possible to rewind a PDO result?
PDO try-catch usage in functions
How to change character encoding of a PDO/SQLite connection in PHP?
Can one convert a MySQL connection to a PDO connection?
Why is PHP PDO DSN a different format for MySQL versus PostgreSQL?
PDO Prepared Statements
Can PHP PDO Statements accept the table name as parameter?
What PHP / MySQL drivers or Database Abstraction Layers Support Prepared Statements?
How do I loop through a MySQL query via PDO in PHP?
Error with bindParam overwriting in PHP
Are PDO prepared statements sufficient to prevent SQL injection?
Installing PDO-drivers for PostgreSQL on Mac (using Zend for eclipse)
SQLite/PHP read-only?
How do you do fuzzy searches using bound parameters in PDO?
How do prepared statements work?
SQL Pagination
Persistent DB Connections - Yea or Nay?
mysqli or PDO - what are the pros and cons?