Welcome to the Treehouse Community

Want to collaborate on code errors? Have bugs you need feedback on? Looking for an extra set of eyes on your latest project? Get support with fellow developers, designers, and programmers of all backgrounds and skill levels here with the Treehouse Community! While you're at it, check out some resources Treehouse students have shared here.

Looking to learn something new?

Treehouse offers a seven day free trial for new students. Get access to thousands of hours of content and join thousands of Treehouse students and alumni in the community today.

Start your free trial

Development Tools Using PHP with MySQL Filtering Input for Queries Preparing SQL Statements

Why does this filter input?

Is the prepare method here designed to filter input? If you pass in something like "101; DROP TABLE products", what will happen? I'm a bit confused about what's going on here.

Here's the code again:

$results = $db->prepare('SELECT name, price, img, sku, paypal FROM products WHERE sku = ?');
$results->bindParam(1,$sku);
$results->execute();

1 Answer

Zachary Green
Zachary Green
16,359 Points

It will escape any dangerous chars. Prepare will also quote your string to fight SQL injection. So now that statement is rendered safe. Later on you should check to see if SKU is int or string add another layer of protection.

Ok, thanks. How exactly does that work, though?

Cool, thanks