johnsmith153 Posted November 24, 2010 Share Posted November 24, 2010 I have just got hold of a MySQLi class (a wrapper to the built in one of course), and for EVERY query sent they have used prepared statements. Is this right? I expected it to just send using the mysqli_query function (with the prepared statements option if selected). Should you send ALL queries using a prepared statement? What (if any) are the downfalls of using prepared statements? Quote Link to comment Share on other sites More sharing options...
objnoob Posted November 24, 2010 Share Posted November 24, 2010 I always build my own mysql statements from scratch. As long as you are carefull enough to sanitize ANY and ALL user input you'll be fine. I once read its get overly complicated trying to use null datatypes with prepared statements. Quote Link to comment Share on other sites More sharing options...
johnsmith153 Posted November 24, 2010 Author Share Posted November 24, 2010 I don't think I should write off prepared statements like this, otherwise why would anybody ever use them? What do others think? This class was from phpclasses.org and they seem to know what they are doing. Quote Link to comment Share on other sites More sharing options...
johnsmith153 Posted November 24, 2010 Author Share Posted November 24, 2010 http://www.phpclasses.org/package/5770-PHP-MySQL-database-access-using-MySQLi.html Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.