Jump to content

From a security stand point, what are the differences between these two queries?

marcbraulio

By marcbraulio
in MySQL Help

 Share

Recommended Posts

marcbraulio Member

marcbraulio

Posted
Posted

Hello everyone,

 

From a security stand point, what are the differences between these two queries?

 


$calories = 150;
$colour = 'red';
$sth = $dbh->prepare('SELECT name, colour, calories
    FROM fruit
    WHERE calories < :calories AND colour = :colour');
$sth->bindParam(':calories', $calories, PDO::PARAM_INT);
$sth->bindParam(':colour', $colour, PDO::PARAM_STR, 12);
$sth->execute();

 

and

 


$calories = 150;
$colour = 'red';
$sth = $dbh->prepare('SELECT name, colour, calories
    FROM fruit
    WHERE calories < :calories AND colour = :colour');
$sth->execute(array(':calories' => $calories, ':colour' => $colour));

 

Essentially they do the same thing, but does the addition of "Bind Parameters" add an extra layer of security?

I am currently using the latter method.

Link to comment
Share on other sites
requinix Prolific Member

requinix

Posted
Posted

Possibly. The first one allows you to specify a data type manually while the second uses whatever type the variables are*. The first one provides a limit on string lengths but the second does not.

 

To match that,

$sth->execute(array(':calories' => (int)$calories, ':colour' => substr((string)$colour, 0, 12)));

 

* Note that values from GET and POST are strings!

Link to comment
Share on other sites
PFMaBiSmAd Advanced Member

PFMaBiSmAd

Posted
Posted

See the second half of the following reply for more information about passing an array to the ->execute() method - http://forums.phpfreaks.com/index.php?topic=363187.msg1718935#msg1718935

 

From the PDO ->execute() doc -

An array of values with as many elements as there are bound parameters in the SQL statement being executed. All values are treated as PDO::PARAM_STR.

 

 

 

Link to comment
Share on other sites
requinix Prolific Member

requinix

Posted
Posted

See the second half of the following reply for more information about passing an array to the ->execute() method - http://forums.phpfreaks.com/index.php?topic=363187.msg1718935#msg1718935

 

From the PDO ->execute() doc -

An array of values with as many elements as there are bound parameters in the SQL statement being executed. All values are treated as PDO::PARAM_STR.

I knew I should have checked the manual first.

Link to comment
Share on other sites
This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.