Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

How does PHP PDO's prepared statements prevent sql injection? What are other benefits of using PDO? Does using PDO reduce efficiency?

Tags:

php

sql-injection

pdo

I have been spotting the sentence PHP PDO's prepared statements prevents SQL injection.

  • How does php PDO's(PDO's prepared statements) prevent sql injection?
  • What are other pros/cons of using PDO(PDO's prepared statements)?
  • Does using PDO(PDO's prepared statements) reduce efficiency?

I have read this: Are PDO prepared statements sufficient to prevent SQL injection? But the data there is not completely clear.

like image 760
ThinkingMonkey Avatar asked Jan 03 '12 21:01

ThinkingMonkey

People also ask

How do prepared statements prevent SQL injection?

Prepared statements are very useful against SQL injections, because parameter values, which are transmitted later using a different protocol, need not be correctly escaped. If the original statement template is not derived from external input, SQL injection cannot occur.

Does PDO prevent SQL injection?

Also, calling PDO::prepare() and PDOStatement::execute() helps to prevent SQL injection attacks by eliminating the need to manually quote and escape the parameters.

Which PHP function can prevent SQL injection?

Now to avoid this type of SQL injection, we need to sanitize the password input and username input using mysqli_real_escape_string() function. The mysqli_real_escape_string() function takes the special characters as they were as an input from the user and doesn't consider them as query usage.

What is the advantage of using PDO PHP data objects over MySQLi in PHP?

Both MySQLi and PDO have their advantages: PDO will work on 12 different database systems, whereas MySQLi will only work with MySQL databases. So, if you have to switch your project to use another database, PDO makes the process easy. You only have to change the connection string and a few queries.

1 Answers

Well, at second glance your question looks more complex to be answered with just one link

How does php pdo's prepared statements prevent sql injection?

How can prepared statements protect from SQL injection attacks?

What are other pros/cons of using PDO?

Most interesting question.
A greatest PDO disadvantage is: it is peddled and propagated a silver bullet, another idol to worship.
While without understanding it will do no good at all, like any other tool.
PDO has some key features like

  • Database abstraction. It's a myth, as it doesn't alter the SQL syntax itself. And you simply can't use mysql autoincremented ids with Postgre. Not to mention the fact that switching database drivers is not among frequent developer's decisions.
  • Placeholders support, implementing native prepared statements or emulating them. Good approach but very limited one. There are lack of necessary placeholder types, like identifier or SET placeholder.
  • a helper method to get all the records into array without writing a loop. Only one. When you need at least 4 to make your work sensible and less boring.

Does using PDO reduce efficiency?

Again, it is not PDO, but prepared statements that reduces efficiency. It depends on the network latency between the db server and your application but you may count it negligible for the most real world cases.

like image 87
Your Common Sense Avatar answered Sep 16 '22 15:09

Your Common Sense
Sign in to Comment

Related questions

Sort array values based on parent/child relationship
str_ireplace or preg_replace replaced break tag into \r\n
Doctrine Extensions Sortable not working correctly when changing position by more than 1
How to translate live streaming using google speech api?
How to use phpseclib to verify that a certificate is signed by a public CA?
Cannot start service web: OCI runtime create failed:
WSDL URL for a WCF Service (basicHttpBinding) hosted inside a Windows Service
How to Move Already Written CodeIgniter Code to Kohana?
Doctrine Subquery in InnerJoin
cURL 'malformed url'
Is it reasonable to have a fair amount of public properties in a class?
How to limit file upload speed in php or apache?
Why is casting and comparing in PHP faster than is_*?
The correct way of doing delegates or callbacks in PHP
How can i get the PHP magic constant __FILE__ work with Eclipse and PDT
How does PHP assign and free memory for variables?
Getting the most recent message in a thread
How to encrypt long strings in PHP?
How to use PHP script for access control in Apache
Access Exchange Web Services with PHP and cURL

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!