Menu
Using PHP and MySQLi I have a simple form with 4 HTML 5 Dropdown Select list inputs. Now wondering do I still have to use Prepared Statement to secure my database? Am I still in the risk of SQL Injection issues? Or is there any other type of risk for using this type of inputs. Thanks
442
You should always prefer working with prepared statements for the security benefits. They all but eliminate vulnerability to SQL injection, without you having to worry about SQL-escaping values. If you have a query that doesn't run often, though (less than once per request), a prepared statement can take longer to run.
If you want to execute a Statement object many times, it usually reduces execution time to use a PreparedStatement object instead. The main feature of a PreparedStatement object is that, unlike a Statement object, it is given a SQL statement when it is created.
Following are the limitations of prepared statements: Since a PreparedStatement object represents only one SQL statement at a time, we can execute only one statement by one prepared statement object. To prevent injection attacks it does not allow more than one value to a place holder.
Prepared statements are much faster when you have to run the same statement multiple times, with different data. Thats because SQL will validate the query only once, whereas if you just use a statement it will validate the query each time.
You are still wide open for an injection attack since the value inserted through your select box could easly be modifed by the end user.
If you have a good validation server side, then doing it without prepared statement would work.
With good i mean something like this:
$array = Array("all", "your", "possible", "values", "from", "Select boxes");
if(in_array ($_POST['selectbox'], $array)){
//Mysql statements etc....
}
Directly inserting user input is NEVER a good idea. You should never trust the end user!
172
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
