1,105,625 Community Members

Escaping vars vs prepared statements

Member Avatar
RazorRamon
Junior Poster in Training
79 posts since Sep 2010
Reputation Points: 0 [?]
Q&As Helped to Solve: 0 [?]
Skill Endorsements: 0 [?]
 
0
 

I've been looking to secure a site that has many queries involved. I've always known about mysql real escape string for a while but recently i ran across prepared statements. I had a few questions about them.

Is it a good idea to use both? is this over kill?

When should i use one but not the other?

Any other protection coding techniques i should look into for my queries and variables?

Member Avatar
diafol
Where are my eyes?
12,977 posts since Oct 2006
Reputation Points: 1,821 [?]
Q&As Helped to Solve: 1,848 [?]
Skill Endorsements: 92 [?]
Moderator
Featured
Sponsor
 
1
 

PDO prepared statements are better (IMO). You shouldn't need to mres() them, as PDO should be DB type agnostic (e.g. mysql, sqlite, odbc and sometimes mssql etc).

I think it's still a good idea to test the datatype or bounds for an input variable, before you proceed to run a query, e.g. if an input variable is expected to be an integer between 5 and 10 - check it before blindly using it in a query.

Are you using ORM?

Member Avatar
RazorRamon
Junior Poster in Training
79 posts since Sep 2010
Reputation Points: 0 [?]
Q&As Helped to Solve: 0 [?]
Skill Endorsements: 0 [?]
 
0
 

I'm not using orm... U mean like cakephp

Member Avatar
diafol
Where are my eyes?
12,977 posts since Oct 2006
Reputation Points: 1,821 [?]
Q&As Helped to Solve: 1,848 [?]
Skill Endorsements: 92 [?]
Moderator
Featured
Sponsor
 
0
 

No prob. Still applies

You
This article has been dead for over three months: Start a new discussion instead
Post:
Start New Discussion
View similar articles that have also been tagged: