$stmt = $conn->prepare('SELECT * FROM users WHERE user_id = :user_id');
$stmt->execute(array(':user_id' => $_GET['user_id']));
$result = $stmt->fetchAll(PDO::FETCH_OBJ);
I'm using PDO like that, do I need to sanitise GET parameter?
I know if I do $stmt->bindParam(':user_id', $_GET['user_id'], PDO::PARAM_INT);
than it is not a problem. But is my way safe?
See Question&Answers more detail:
os 与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…