Jump to content

Very Confused

downah

By downah
in PHP Coding Help

Recommended Posts

downah Member

downah

Posted
Posted

So just seen this http://www.ultramegatech.com/2009/07/using-mysql-prepared-statements-in-php/ from another topic, and am a bit confused now, I started coding a little while back, but did not get introduced to mysqli until very recently, should I change all my normal mysql queries to the mysqli prepared statements like in the website/tutorial stated? does this mean I won't have to use mysql_real_escape_string and it is more secure in general?

 

Would really like some input, much appreciated.

Link to comment
https://forums.phpfreaks.com/topic/262214-very-confused/
Share on other sites
scootstah Member

scootstah

Posted
Posted

You don't have to change your queries to prepared statements, but there are benefits from doing so. Of course, there are also downsides -- prepared statements usually require a little more processing time, albeit very little (probably un-noticable).

 

If you use prepared statements, you do not have to escape data. SQL injection is all-together avoided. You do, however, still need to sanitize for things like XSS (if you prefer to store cleansed data rather than cleanse on output).

 

I have the same question, I have always used MySQL but now i'm hearing I should be using MySQLi?

If so, why? What is so much better about this versus the old MySQL? I am simply curious.

 

Thank you

 

The mysqli extension has quite a few benefits. Namely: Optional object-oriented API, prepared statements, it is being actively developed (the mysql extension is maintenance-only).

Link to comment
https://forums.phpfreaks.com/topic/262214-very-confused/#findComment-1343753
Share on other sites
downah Member

downah

Posted
  • Author
Posted

I see so if I start using the mysqli functions I won't have to be sanitize my normal queries at all?, I understand why it is a little bit slower, but that does not really bother me, as the pro side of not having to sanitize the database input, and it being a lot more secure is a massive upside to me, I am just not sure what I am thinking is right.

 

Would you say a experienced developer being up to date would always use mysqli prepared statements instead of normal mysql queries? I am a bit confused as of what I should get used to doing, I was quite happy having gotten the grasp of the mysql functions  :shrug:

Link to comment
https://forums.phpfreaks.com/topic/262214-very-confused/#findComment-1343756
Share on other sites
xyph Advanced Member

xyph

Posted
Posted

Most up-to-date developers would be using PDO, unless there's some MySQL-specific syntax or optimizations that needed to be performed.

 

If I was writing MySQL-specific queries, I would use MySQLi in it's object oriented form. I tend to not use prepared statements, but they do have merits. If you don't care to sanitize beyond real_escape_string(), then it's great. Personally, I like stricter sanitization that I code myself, and feedback if x data doesn't match y format.

 

Only prepared statements, using placeholders, takes care of sanitization for you. The standard mysqli_query will not.

Link to comment
https://forums.phpfreaks.com/topic/262214-very-confused/#findComment-1343776
Share on other sites

Archived

This topic is now archived and is closed to further replies.

Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.