marcbraulio Posted August 3, 2012 Share Posted August 3, 2012 Hello everyone, From a security stand point, what are the differences between these two queries? $calories = 150; $colour = 'red'; $sth = $dbh->prepare('SELECT name, colour, calories FROM fruit WHERE calories < :calories AND colour = :colour'); $sth->bindParam(':calories', $calories, PDO::PARAM_INT); $sth->bindParam(':colour', $colour, PDO::PARAM_STR, 12); $sth->execute(); and $calories = 150; $colour = 'red'; $sth = $dbh->prepare('SELECT name, colour, calories FROM fruit WHERE calories < :calories AND colour = :colour'); $sth->execute(array(':calories' => $calories, ':colour' => $colour)); Essentially they do the same thing, but does the addition of "Bind Parameters" add an extra layer of security? I am currently using the latter method. Quote Link to comment https://forums.phpfreaks.com/topic/266653-from-a-security-stand-point-what-are-the-differences-between-these-two-queries/ Share on other sites More sharing options...
requinix Posted August 4, 2012 Share Posted August 4, 2012 Possibly. The first one allows you to specify a data type manually while the second uses whatever type the variables are*. The first one provides a limit on string lengths but the second does not. To match that, $sth->execute(array(':calories' => (int)$calories, ':colour' => substr((string)$colour, 0, 12))); * Note that values from GET and POST are strings! Quote Link to comment https://forums.phpfreaks.com/topic/266653-from-a-security-stand-point-what-are-the-differences-between-these-two-queries/#findComment-1366705 Share on other sites More sharing options...
marcbraulio Posted August 4, 2012 Author Share Posted August 4, 2012 I see, thank you for the clear and precise answer! Quote Link to comment https://forums.phpfreaks.com/topic/266653-from-a-security-stand-point-what-are-the-differences-between-these-two-queries/#findComment-1366708 Share on other sites More sharing options...
PFMaBiSmAd Posted August 4, 2012 Share Posted August 4, 2012 See the second half of the following reply for more information about passing an array to the ->execute() method - http://forums.phpfreaks.com/index.php?topic=363187.msg1718935#msg1718935 From the PDO ->execute() doc - An array of values with as many elements as there are bound parameters in the SQL statement being executed. All values are treated as PDO::PARAM_STR. Quote Link to comment https://forums.phpfreaks.com/topic/266653-from-a-security-stand-point-what-are-the-differences-between-these-two-queries/#findComment-1366713 Share on other sites More sharing options...
requinix Posted August 4, 2012 Share Posted August 4, 2012 See the second half of the following reply for more information about passing an array to the ->execute() method - http://forums.phpfreaks.com/index.php?topic=363187.msg1718935#msg1718935 From the PDO ->execute() doc - An array of values with as many elements as there are bound parameters in the SQL statement being executed. All values are treated as PDO::PARAM_STR. I knew I should have checked the manual first. Quote Link to comment https://forums.phpfreaks.com/topic/266653-from-a-security-stand-point-what-are-the-differences-between-these-two-queries/#findComment-1366714 Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.