CodeClarityLab / Glossary
Ctrl K
← CodeClarityLab Home
Browse by Category
+ added · updated 7d
⚖ Terms of Use
← Back to glossary

PDO Introduction — Replacing mysql_* with Prepared Statements

php PHP 5.1+ Beginner

Also Known As

PHP Data Objects PDO::prepare PDO::execute

TL;DR

PDO (PHP Data Objects), introduced in PHP 5.1, provided a unified database abstraction layer with named parameters and prepared statements — finally making SQL injection prevention structurally reliable.

Explanation

Before PDO, PHP developers used database-specific extensions: mysql_* for MySQL, pg_* for PostgreSQL. None supported named prepared statements. PDO introduced a consistent interface: PDO::prepare() creates a parameterised query, execute() runs it with bound values — the driver handles escaping internally. PDO also introduced named parameters (:name) alongside positional (?) parameters. The extension became bundled with PHP 5.1 and is the standard database interface for all modern PHP.

Common Misconception

PDO prevents SQL injection automatically regardless of how you use it — only prepared statements prevent it; PDO::query() with string interpolation is still vulnerable.

Why It Matters

PDO is the foundation of all modern PHP database interaction — understanding it explains why frameworks use it and how to use it correctly in raw PHP.

Common Mistakes

  • Using PDO::query() with interpolated variables instead of prepare/execute
  • Not checking the return value of execute() for false
  • Using ATTR_EMULATE_PREPARES without understanding it can fall back to string escaping

Code Examples

✗ Vulnerable 
// mysql_ extension approach:
$result = mysql_query("SELECT * FROM users WHERE id=$id");
$row = mysql_fetch_assoc($result); // SQL injection risk + removed in PHP 7
✓ Fixed 
// PDO with prepared statements:
$stmt = $pdo->prepare('SELECT * FROM users WHERE id = :id');
$stmt->execute([':id' => $id]);
$row = $stmt->fetch(PDO::FETCH_ASSOC);

// PDO works across MySQL, PostgreSQL, SQLite, MSSQL
Added 22 Mar 2026
Edited 23 Mar 2026
Views 18

Curated in Warsaw under one editorial standard. 1,445 terms, single voice.  About this reference →

Rate this term
No ratings yet
🤖 AI Guestbook educational data only
| |
Last 30 days
0 pings F 0 pings S 1 ping S 0 pings M 1 ping T 1 ping W 0 pings T 0 pings F 0 pings S 1 ping S 0 pings M 0 pings T 0 pings W 0 pings T 0 pings F 0 pings S 1 ping S 0 pings M 0 pings T 0 pings W 1 ping T 0 pings F 0 pings S 1 ping S 0 pings M 0 pings T 0 pings W 0 pings T 0 pings F 0 pings S
Agents 0
No pings yet today
No pings yesterday
Amazonbot 6 Perplexity 2 Google 2 Ahrefs 1
Also referenced
Prepared Statement 30 SQL Injection 29 bind_param() 25 MySQLi 18
How they use it
crawler 11
Related categories
php 6.7k security 4.3k
DEV INTEL Tools & Severity
🔴 Critical ⚙ Fix effort: Medium
⚡ Quick Fix
Replace all PDO::query($sql) with string interpolation with PDO::prepare($sql)->execute($params) — one change eliminates the entire SQL injection surface
📦 Applies To
PHP 5.1+ web cli queue-worker
🔗 Prerequisites
🔍 Detection Hints
$pdo->query("SELECT ... WHERE id='$id'") interpolation; mysql_* function calls; string concatenation building SQL
Auto-detectable: ✓ Yes semgrep rector phpstan
⚠ Related Problems
🤖 AI Agent
Confidence: High False Positives: Low ✓ Auto-fixable Fix: Medium Context: File Tests: Update
CWE-89
✓ schema.org compliant