Escaping vars vs prepared statements

I've been looking to secure a site that has many queries involved. I've always known about mysql real escape string for a while but recently i ran across prepared statements. I had a few questions about them.

Is it a good idea to use both? is this over kill?

When should i use one but not the other?

Any other protection coding techniques i should look into for my queries and variables?

2

Contributors

3

Replies

9 Hours

Discussion Span

1 Year Ago

Last Updated

4

Views

RazorRamon

Junior Poster in Training

78 posts since Sep 2010

Reputation Points: 10

Solved Threads: 0

Skill Endorsements: 0

1 Year Ago

1

PDO prepared statements are better (IMO). You shouldn't need to mres() them, as PDO should be DB type agnostic (e.g. mysql, sqlite, odbc and sometimes mssql etc).

I think it's still a good idea to test the datatype or bounds for an input variable, before you proceed to run a query, e.g. if an input variable is expected to be an integer between 5 and 10 - check it before blindly using it in a query.

Are you using ORM?

diafol

Keep Smiling

Moderator

10,611 posts since Oct 2006

Reputation Points: 1,628

Solved Threads: 1,506

Skill Endorsements: 57

1 Year Ago

0

I'm not using orm... U mean like cakephp

RazorRamon

Junior Poster in Training

78 posts since Sep 2010

Reputation Points: 10

Solved Threads: 0

Skill Endorsements: 0

1 Year Ago

0

No prob. Still applies

diafol

Keep Smiling

Moderator

10,611 posts since Oct 2006

Reputation Points: 1,628

Solved Threads: 1,506

Skill Endorsements: 57

Escaping vars vs prepared statements

This article has been dead for over three months: Start a new discussion instead