PHP-PDO

To create and running database queries Laravel uses an interface which is provided by the laravels query bilder. This query builder uses PDO parameter binding to protect our application from SQL injection.SQL injections are queries that can affect(change or modify) our database information intentionally. Hackers may try to steal the data or view the confidential data from the database.In this case PDO provides some security that becomes handy.

So what is PDO: Its an abbreviation of PHP Data Object.The PHP Data Objects (PDO) extension defines a lightweight, consistent interface for accessing databases in PHP. It provides a access abstraction means that no matter in which database are we using the query operations is always be the same. When we make connection with the database in PHP we use the PDO. It will return an object. Then with the help of the object we can access the database.

$pdo=new PDO('mysql:host=hostname;dbname=database', 'username', 'password')

another important term is binding while using PDO. Binding method is simple. Before discussing binding we must know about prepare statement.look at the code(from Novice to Ninja book)

$sql = 'INSERT INTO joke SET joketext = :joketext, jokedate = "today's date"';

$s = $pdo->prepare($sql);

$s->bindValue(':joketext', $_POST['joketext']);

$s->execute();

when a sql query come we prepare the query. what happens is, our pdo object associate with the database tell the database server to prepare and run the query but it doesn't send the values,as a result server can't run the query with missing values.Server returns a PDOStatement Object which is stored in $s.Then the object simply bind the missing values. As we are not running the queries with the values passed, it is guaranteed that SQL injections are prevented.Finally server executes the query with the provided value after binding.