How PDO prepared statements help to prevent SQL vulnerable statements? -

i'm confused or rather i'm like, soooooooooo confused pdo prepared statements. know prepared statements best way keep data safe hackers.

from : how can prepared statements protect sql injection attacks?

we sending program server first

$db->prepare("select * users id=?"); data substituted variable called "placeholder".

note same query being sent server, without data in it! , we're sending data second request, totally separated query itself:

$db->execute($data);

query-

$query=$db->prepare("select * users username=?"); $query->execute(array($tex)); $tex=blah; drop table users;-- 

then - select * users username=blah; drop table users;--

how prepare statements me example above?

i'm sorry if question vague understand. appreciated. in advance.

the prepared statement handler make sure bound value always used valid sql value/literal (ie. sql string or number) , never 'raw sql text'¹.

this why placeholders values cannot used identifiers such column or table names or act other sql keywords; , cannot generate vulnerable query hypothesized. instead treated following:

where username='blah; drop table users;--'             --^ placeholder ensures valid sql string value used             --  (note automatic/implicit addition of sql quotes) 

and when binding 'more tricky' data:

$tex = "blah'; drop table users;--";  // embedded sql quote character 

it still safe:

where username='blah''; drop table users;--'             --^ placeholder still ensures valid sql string value used 

thus, when using placeholders, impossible generate sql vulnerable (in way).

for sql injection 'shape' of query (which includes keywords , identifiers, excludes values) must altered input.

---

¹ technically placeholders values can sent through separate data channel (depending on adapter/driver) , might not appear in raw sql query itself.

however simple way think why placeholders safe, or how 'work' is:

when using placeholders adapter ensures equivalent of 'sql safe escape' , applicable quoting always used every bound text value - , impossible accidentally forget.