Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Should I really be using PDO and prepared statements?

Tags:

php

mysql

pdo

PDO and prepared statements are still kind of confusing to me, no matter how much I read about them so far. So I know they are more "secure" but is it really that important? I mean I can get the same end result using basic mysql with mysql_real_escape_string() and htmlspecialchars() right?

like image 586
JasonDavis Avatar asked Jan 10 '10 22:01

JasonDavis

People also ask

Does PDO use prepared statements?

PDO will emulate prepared statements/bound parameters for drivers that do not natively support them, and can also rewrite named or question mark style parameter markers to something more appropriate, if the driver supports one style but not the other.

Should I always use prepared statements?

You should always prefer working with prepared statements for the security benefits. They all but eliminate vulnerability to SQL injection, without you having to worry about SQL-escaping values. If you have a query that doesn't run often, though (less than once per request), a prepared statement can take longer to run.

Should I use PHP prepared statements?

Prepared statements are very useful against SQL injections, because parameter values, which are transmitted later using a different protocol, need not be correctly escaped. If the original statement template is not derived from external input, SQL injection cannot occur.

Are prepared statements Safe?

A prepared statement is a parameterized and reusable SQL query which forces the developer to write the SQL command and the user-provided data separately. The SQL command is executed safely, preventing SQL Injection vulnerabilities.

1 Answers

You could, but PDO and prepared statements are the absolute safest. Could you do it by hand and use the mysql_real_escape_string() function? Sure. In fact, your output might look identical. But in the end, the code that PDO would require would be a hell of a lot shorter than the code if you had done it manually.

Also, if you aren't using prepared statements, you run the risk of human error: say you forget to escape a value or sanitize an input. Mixed in with all of your other code, the one line that isn't properly sanitizing could crop up to be a nightmare down the road.

Hope this helps!

like image 124
mattbasta Avatar answered Nov 09 '22 14:11

mattbasta
Sign in to Comment

Related questions

hide composer vendor folder that's inside docroot
How do I enable mysqli for my PHP script? [duplicate]
How to redirect Laravel route from Javascript file in blade template
How can I search for a record using a part of a string field in Laravel/Eloquent?
How do you generate an RSS feed?
Calling java from PHP exec
Managing date formats differences between PHP and MySQL
how to make echo print out right away in PHP?
PHP Date Question
Is PHP for Windows the same as Linux, Mac, etc.?
500 Internal Server Error?
How can I send an email with attachments from a PHP form?
How to add line breaks in RSS feeds?
PHP and Microsoft Access database - Connection and CRUD
PHP Session is not destroying after user logout
PHP - with require_once/include/require, the path is relative to what?
php not returning value of false
In PHP, what is the difference between hash and mhash?
How to remove values from an array whilst renumbering numeric keys
Trying to make a CodeIgniter controller called "List"

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!