just starting to use PDO in php and was wondering if this is the right way to do it and if it is secure or if I still need to do any escaping (thought the prepare will take care of this but might be wrong)? function emailAvailable ($email) { // ensure database connection is accessible global $dbh; // prepare sql query to see if email address already exists $stmt = $dbh->prepare('SELECT COUNT(*) AS `tot` FROM `user` WHERE `email`=:email'); // execute query with provided data $stmt->execute(array(':email' => $email)); // get the result $result = $stmt->fetch(PDO::FETCH_ASSOC); if ($result['tot'] > 0) { return false; } else { return true; } } PHP:
I haven't used PDO to connect to a database yet, but I know some articles that should provide some help (also regarding escaping) http://net.tutsplus.com/tutorials/php/pdo-vs-mysqli-which-should-you-use/?search_index=1 http://net.tutsplus.com/tutorials/php/php-database-access-are-you-doing-it-correctly/?search_index=2 http://net.tutsplus.com/tutorials/php/why-you-should-be-using-phps-pdo-for-database-access/?search_index=3 Code (markup): Regarding escaping: Whenever a user can input something it has to be escaped. No matter how simple and obvious it seems - escape it
Thanks, I thought the prepare statement would take care of escaping. But by the look of it I was wrong. Thanks for the links.
You thought correctly. You do not need to quote Prepared Statements. From PDO:repare manual: The other alternative is PDO query and PDO quote, which is faster than prepared statements.