Been trying to enure my queries are good. Something crossed my mind.
To prevent someone injecting extra stuff to my query, perhaps through a form, should I add 'WHERE 1', to all queries where WHERE isn't really 'needed', so that a WHERE something = something_else, can't be added by a malicious input? I can add it but, will it prevent even one type of malicious hack?
It could help. I think Wordpress adds WHERE 1 = 1 to their queries for this reason.
However, they can easily add a # to the end of their injection, which can cut off everything else in the query.
Would using PDO not eliminate any risk of having any SQL injection issues?
There's always a risk. It'll greatly greatly reduce it, but there is always a risk. =p
PDO does nothing itself, using prepared statements properly separating user input does. PDO just provides a simple interface to do so but you can still F**k it up of you don't know what your doing.