954,604 Members — Technology Publication meets Social Media
Username:
Password:
Lost login information?
Have something to say? Contribute New Article Reply to this Article
3 Months Ago
0

Escaping vars vs prepared statements

I've been looking to secure a site that has many queries involved. I've always known about mysql real escape string for a while but recently i ran across prepared statements. I had a few questions about them.

Is it a good idea to use both? is this over kill?

When should i use one but not the other?

Any other protection coding techniques i should look into for my queries and variables?

RazorRamon
Junior Poster in Training
74 posts since Sep 2010
Reputation Points: 10
Solved Threads: 0
 
3 Months Ago
Show Comments
1

PDO prepared statements are better (IMO). You shouldn't need to mres() them, as PDO should be DB type agnostic (e.g. mysql, sqlite, odbc and sometimes mssql etc).

I think it's still a good idea to test the datatype or bounds for an input variable, before you proceed to run a query, e.g. if an input variable is expected to be an integer between 5 and 10 - check it before blindly using it in a query.

Are you using ORM?

diafol
Rhod Gilbert Fan (ardav)
Moderator
7,800 posts since Oct 2006
Reputation Points: 1,170
Solved Threads: 1,080
 
3 Months Ago
0

I'm not using orm... U mean like cakephp

RazorRamon
Junior Poster in Training
74 posts since Sep 2010
Reputation Points: 10
Solved Threads: 0
 
3 Months Ago
0

No prob. Still applies

diafol
Rhod Gilbert Fan (ardav)
Moderator
7,800 posts since Oct 2006
Reputation Points: 1,170
Solved Threads: 1,080
 

This article has been dead for over three months

Post: Markdown Syntax: Formatting Help
You
View similar articles that have also been tagged:
 
© 2012 DaniWeb® LLC
Home | About Us | Contact Us | Terms of Service | Advertising Opportunities
RSS Feed RSS Feed