0

I've been looking to secure a site that has many queries involved. I've always known about mysql real escape string for a while but recently i ran across prepared statements. I had a few questions about them.

Is it a good idea to use both? is this over kill?

When should i use one but not the other?

Any other protection coding techniques i should look into for my queries and variables?

2
Contributors
3
Replies
4
Views
5 Years
Discussion Span
Last Post by diafol
Featured Replies
  • 1
    diafol 3,317   5 Years Ago

    PDO prepared statements are better (IMO). You shouldn't need to mres() them, as PDO should be DB type agnostic (e.g. mysql, sqlite, odbc and sometimes mssql etc). I think it's still a good idea to test the datatype or bounds for an input variable, before you proceed to run a … Read More

1

PDO prepared statements are better (IMO). You shouldn't need to mres() them, as PDO should be DB type agnostic (e.g. mysql, sqlite, odbc and sometimes mssql etc).

I think it's still a good idea to test the datatype or bounds for an input variable, before you proceed to run a query, e.g. if an input variable is expected to be an integer between 5 and 10 - check it before blindly using it in a query.

Are you using ORM?

This topic has been dead for over six months. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.