Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Do prepare statements secure your database?

Tags:

sql

php

mysql

I know that this question may be closed by some of you, but my question came up from you and your answers. I am reading the past two hours questions and answers for SQL Injections and how to protect your database. The same comes to the huge amount of webpages and tutorials I saw.

I found out that half of the people claim that prepare statements do secure your db, and the other 50 claim that it is not.

On the other hand, I read that mysql_real_escape_string does the job, and other people saying that it is not.

My question is who to believe ?

In addition, is this a proper prepare statement?

$stmt = $dbh->prepare("SELECT phpro_user_id, phpro_username, phpro_password FROM phpro_users 
                    WHERE phpro_username = :phpro_username AND phpro_password = :phpro_password");

        /*** bind the parameters ***/
        $stmt->bindParam(':phpro_username', $phpro_username, PDO::PARAM_STR);
        $stmt->bindParam(':phpro_password', $phpro_password, PDO::PARAM_STR, 40);

        /*** execute the prepared statement ***/
        $stmt->execute();
like image 677
EnexoOnoma Avatar asked Aug 24 '11 13:08

EnexoOnoma


People also ask

Why are prepared statements more secure?

Prepared statements can help increase security by separating SQL logic from the data being supplied. This separation of logic and data can help prevent a very common type of vulnerability called an SQL injection attack.

What is the advantage of prepared statement?

Prepared statements offer two major benefits: The query only needs to be parsed (or prepared) once, but can be executed multiple times with the same or different parameters. When the query is prepared, the database will analyze, compile and optimize its plan for executing the query.

What do prepared statements do?

A prepared statement is a feature used to execute the same (or similar) SQL statements repeatedly with high efficiency. Prepared statements basically work like this: Prepare: An SQL statement template is created and sent to the database.

Can all SQL queries be made safe using prepared statements?

Use prepared statements and parameterized queries. These are SQL statements that are sent to and parsed by the database server separately from any parameters. This way it is impossible for an attacker to inject malicious SQL.


1 Answers

Both. Prepared statements will protect you against SQL injections if, and only if, you use them in a correct manner. Just' using' prepared statements won't help if you're still interpolating variables for table/column names for example.

$stmt = "SELECT * FROM $table WHERE $column = ?"; //not good...
like image 112
Mchl Avatar answered Oct 12 '22 12:10

Mchl