I've been looking to secure a site that has many queries involved. I've always known about mysql real escape string for a while but recently i ran across prepared statements. I had a few questions about them.

Is it a good idea to use both? is this over kill?

When should i use one but not the other?

Any other protection coding techniques i should look into for my queries and variables?

Recommended Answers

All 3 Replies

Member Avatar

PDO prepared statements are better (IMO). You shouldn't need to mres() them, as PDO should be DB type agnostic (e.g. mysql, sqlite, odbc and sometimes mssql etc).

I think it's still a good idea to test the datatype or bounds for an input variable, before you proceed to run a query, e.g. if an input variable is expected to be an integer between 5 and 10 - check it before blindly using it in a query.

Are you using ORM?

I'm not using orm... U mean like cakephp

Member Avatar

No prob. Still applies

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, learning, and sharing knowledge.