Jump to content

Recommended Posts

Hi,

 

I have been wondering about security and the different ways in which placeholders are assigned variables.

 

2 ways:

 

$result = $dbh->prepare('SELECT whatever FROM table WHERE id = ? AND otherRef = ?') ;

$result->bindParam(1, $var1, PDO::PARAM_INT) ;

$result->bindParam(2, $var2, PDO::PARAM_INT) ;

$result->execute() ;

 

VS:

 

$result = $dbh->prepare('SELECT whatever FROM table WHERE id = ? AND otherRef = ?') ;

$result->execute($var1, $var2) ;

 

Is the former more secure because you are explicitly stating that the variables must be INT as opposed to anything else?

Link to comment
https://forums.phpfreaks.com/topic/252033-pdo-param-more-secure/
Share on other sites

There's no real difference in security, prepared statements are generally pretty secure on their own. Binding data with the correct type will ensure that the database has the right type of data for the query. If you don't define it then the type will default to a string, which may cause issues with say integer values. MySQL will probably let you off and internally cast the data, but other databases aren't so lenient.

 

Also a feature of stored procedures is that you're able to pass output parameters, which require you to define them as their data type + output type. You couldn't do that if you used your second example.

 

I think using MySQL you'll probably not run into any issues passing everything as a string - as I said MySQL is very lenient - but declaring/knowing all your data types is a good habit to get into.

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.