PDO PARAM More Secure?

[imperium2335]

Hi,

 

I have been wondering about security and the different ways in which placeholders are assigned variables.

 

2 ways:

 

$result = $dbh->prepare('SELECT whatever FROM table WHERE id = ? AND otherRef = ?') ;

$result->bindParam(1, $var1, PDO::PARAM_INT) ;

$result->bindParam(2, $var2, PDO::PARAM_INT) ;

$result->execute() ;

 

VS:

 

$result = $dbh->prepare('SELECT whatever FROM table WHERE id = ? AND otherRef = ?') ;

$result->execute($var1, $var2) ;

 

Is the former more secure because you are explicitly stating that the variables must be INT as opposed to anything else?

[Adam]

There's no real difference in security, prepared statements are generally pretty secure on their own. Binding data with the correct type will ensure that the database has the right type of data for the query. If you don't define it then the type will default to a string, which may cause issues with say integer values. MySQL will probably let you off and internally cast the data, but other databases aren't so lenient.

 

Also a feature of stored procedures is that you're able to pass output parameters, which require you to define them as their data type + output type. You couldn't do that if you used your second example.

 

I think using MySQL you'll probably not run into any issues passing everything as a string - as I said MySQL is very lenient - but declaring/knowing all your data types is a good habit to get into.