imperium2335 Posted November 29, 2011 Share Posted November 29, 2011 Hi, I have been wondering about security and the different ways in which placeholders are assigned variables. 2 ways: $result = $dbh->prepare('SELECT whatever FROM table WHERE id = ? AND otherRef = ?') ; $result->bindParam(1, $var1, PDO::PARAM_INT) ; $result->bindParam(2, $var2, PDO::PARAM_INT) ; $result->execute() ; VS: $result = $dbh->prepare('SELECT whatever FROM table WHERE id = ? AND otherRef = ?') ; $result->execute($var1, $var2) ; Is the former more secure because you are explicitly stating that the variables must be INT as opposed to anything else? Quote Link to comment Share on other sites More sharing options...
Adam Posted November 30, 2011 Share Posted November 30, 2011 There's no real difference in security, prepared statements are generally pretty secure on their own. Binding data with the correct type will ensure that the database has the right type of data for the query. If you don't define it then the type will default to a string, which may cause issues with say integer values. MySQL will probably let you off and internally cast the data, but other databases aren't so lenient. Also a feature of stored procedures is that you're able to pass output parameters, which require you to define them as their data type + output type. You couldn't do that if you used your second example. I think using MySQL you'll probably not run into any issues passing everything as a string - as I said MySQL is very lenient - but declaring/knowing all your data types is a good habit to get into. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.