Is prepared queries are a good way (or best) to counter SQL Injection?

Does prepares queries can make applications 100% safe by it seft?

Ref: php.net/manual/fr/mysqli.quickstart.prepared-statements.php

English version of the link for other readers.

I might not totally understand the PHP code in the guide but there's totally no way of making your application 100% secure.

not a programming expert, but to counter attack SQL injection you should filter the input.

For example if your asking for telephone number, then filter special characters like *, /, \, $, #, , alphabets etc...

Then same thing goes for any input field, allow the characters that is needed and deny or filter other characters that is not expected as part of the data that will be collected to process the input data.

or check out this one:
http://stackoverflow.com/questions/6...jection-in-php

1 members found this post helpful.

You definitely should use prepared statements and bound-parameters in all cases, even though the PHP language does not make this particularly easy to do.

You should never, ever "build" an SQL statement in which anything supplied by the user is "textually inserted." Instead, you should prepare a statement that consists of a literal string hard-coded in the source code of the program, which statement includes "placeholders ('?')" corresponding to each variable parameter which the statement expects to receive. You bind the appropriate values for each placeholder, each time you execute the prepared statement ... which only need be prepared once. The SQL statement, itself, is fixed and unchanging within your program.

I frankly never quite understood why the PHP language makes the construction and execution of parameterized SQL queries so difficult. In other languages, you simply provide the parameters as an array-valued parameter to "execute." The designers of PHP did things acceptably well in most cases, but they rather-curiously fumbled the ball on this one.

1 members found this post helpful.