Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Do prepare statements secure your database?

Tags:

sql

php

mysql

I know that this question may be closed by some of you, but my question came up from you and your answers. I am reading the past two hours questions and answers for SQL Injections and how to protect your database. The same comes to the huge amount of webpages and tutorials I saw.

I found out that half of the people claim that prepare statements do secure your db, and the other 50 claim that it is not.

On the other hand, I read that mysql_real_escape_string does the job, and other people saying that it is not.

My question is who to believe ?

In addition, is this a proper prepare statement?

$stmt = $dbh->prepare("SELECT phpro_user_id, phpro_username, phpro_password FROM phpro_users 
                    WHERE phpro_username = :phpro_username AND phpro_password = :phpro_password");

        /*** bind the parameters ***/
        $stmt->bindParam(':phpro_username', $phpro_username, PDO::PARAM_STR);
        $stmt->bindParam(':phpro_password', $phpro_password, PDO::PARAM_STR, 40);

        /*** execute the prepared statement ***/
        $stmt->execute();
like image 677
EnexoOnoma Avatar asked Aug 24 '11 13:08

EnexoOnoma

People also ask

Why are prepared statements more secure?

Prepared statements can help increase security by separating SQL logic from the data being supplied. This separation of logic and data can help prevent a very common type of vulnerability called an SQL injection attack.

What is the advantage of prepared statement?

Prepared statements offer two major benefits: The query only needs to be parsed (or prepared) once, but can be executed multiple times with the same or different parameters. When the query is prepared, the database will analyze, compile and optimize its plan for executing the query.

What do prepared statements do?

A prepared statement is a feature used to execute the same (or similar) SQL statements repeatedly with high efficiency. Prepared statements basically work like this: Prepare: An SQL statement template is created and sent to the database.

Can all SQL queries be made safe using prepared statements?

Use prepared statements and parameterized queries. These are SQL statements that are sent to and parsed by the database server separately from any parameters. This way it is impossible for an attacker to inject malicious SQL.

1 Answers

Both. Prepared statements will protect you against SQL injections if, and only if, you use them in a correct manner. Just' using' prepared statements won't help if you're still interpolating variables for table/column names for example.

$stmt = "SELECT * FROM $table WHERE $column = ?"; //not good...
like image 112
Mchl Avatar answered Oct 12 '22 12:10

Mchl
Sign in to Comment

Related questions

php reading mysql bit field returning weird character
How to hide controller name in the url in CodeIgniter?
how to subtract two dates and times to get difference
How to preSelect an html dropdown list with php? [duplicate]
php fopen returns false but file is readable/writable
Is replacing a line break UTF-8 safe?
mkdir and subfolders
Best way to stop a single person from creating multiple accounts
How do I enable XSLT functions in PHP 5?
PHP protected classes and properties, protected from whom?
How do I use the same parameter more than once?
Regex - Strip non numeric and remove cents if any
How do I exclude certain form fields upon submission of the form without disabling the field
PHP Performance question: Faster to leave duplicates in array that will be searched or do array_unique?
encrypting and decrypting information stored in cookies
How to pass jQuery variables to PHP variable?
Can't silence imap_open error notices in PHP
Facebook deauthorize my app
When is a 404 not a 404?
PHP: equivalent of MySQL's function SUBSTRING_INDEX ?

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!