Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

PDO vs MYSQLI, Prepared Statemens and Binding Parameters

Tags:

php

parameters

pdo

prepared-statement

mysqli

I have this very question to clear things up. I read some documentation and comments around but still somethings are just not clear enough.

  • I understand PDO offers more drivers which would certainly is a plus if you would ever change your database type.
  • As said on another post, PDO doesnt offer true prepared statements but mysqli does so it would be safer to use MYSQLI
  • Benchmarks looks similar, (did not test it myself but checked around on the web for a few benchmarks)
  • Being object oriented is not an issue for me since mysqli is catching up. But would be nice to benchmark procedural mysqli vs PDO since procedural is supposed to be slightly faster.

But here is my question, with prepared statement, do we have to use parameter binding with the data we use in our statement? good practice or have to? I understand prepared statements are good perfermance-wise if you run the same query multiple times but it is enough to secure the query itself? or binding parameters is a must? What exactly do the binding parameters and how it works to protect the data from sql injection? Also would be appreciated if you point our any misunderstanding about the statements I made above.

like image 232
Leon Avatar asked May 26 '13 15:05

Leon

1 Answers

In short,

  • Binding is a must, being a cornerstone of protection, no matter if it is supported by a native driver or not. It's the idea of substitution that matters.
  • The difference is negligible in either safety and performance.
  • Performance is the last thing to consider. There is NO API that is considerable slower than other. It is not a class or a function that may cause whatever performance problem but a data manipulation or a bad algorithm. Optimize your queries, not mere functions to call them.
  • If you are going to use a raw bare API, then PDO is the only choice. While wrapped in a higher level class, mysqli seems more preferable for mysql.
  • Both mysqli and PDO lack bindings for the identifiers and keywords. In this case a whitelist-based protection must be implemented. Here is my article with the ready made example, Adding a field name to the SQL query dynamically
like image 57
Your Common Sense Avatar answered Oct 20 '22 05:10

Your Common Sense
Sign in to Comment

Related questions

Find/replace mysql_ to mysqli_ makes code nonfunctional
file_exists() versus in_array() of scandir() -- which is faster? [closed]
Zend Framework 2 Doctrine 2 CLI generate-entities from YAML each module
Wordpress append to HEAD from within shortcode callback
Use constant as class name
Detect SSL when proxy *always* claims a secure connection
Uploading an Image using AWS SDK for PHP 2
Testing PHP code that calls a static method
MySQL Order by language of string
Wrong permissions sets sticky bit
Zend Framework 2: subqueries
How to copy files from server to Dropbox using PHP? [duplicate]
PHP mysqli prepare statement not working
Random object per page request with SilverStripe
Is using PHP if/else within JS bad practice?
Is it possible to access REQUEST_FILENAME via PHP? [duplicate]
SQL Select from 2 tables with same column names only return column when not null
Omitting redundant months and years in date range list
Rotate and crop
MySQL: How to get changes of last UPDATE

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!