eMonk Posted August 6, 2013 Share Posted August 6, 2013 I want to switch to mysqli_prepared statements but have a question before I start. example 1 $query = $mysqli->prepare('SELECT * FROM users WHERE username = ?'); $query->bind_param('s', $_GET['username']); $query->execute(); example 2 $query = $mysqli->prepare("SELECT * FROM users WHERE username = 'Rick' "); $query->execute(); Is bind_param always necessary and why, for security reasons? Link to comment https://forums.phpfreaks.com/topic/280872-switching-to-mysqli_prepared-statements/ Share on other sites More sharing options...
requinix Posted August 6, 2013 Share Posted August 6, 2013 Compare them fairly: $query = $mysqli->prepare('SELECT * FROM users WHERE username = ?'); $query->bind_param('s', $_GET['username']); $query->execute(); $query = $mysqli->prepare("SELECT * FROM users WHERE username = '" . $_GET['username'] . "' "); $query->execute();See the problem with #2? The username isn't escaped. Without prepared statements you'd have to escape it yourself, which requires knowing how to do that properly (which isn't complicated or anything). With prepared statements you don't have to, and in fact should not, escape anything. No hidden gotchas. Link to comment https://forums.phpfreaks.com/topic/280872-switching-to-mysqli_prepared-statements/#findComment-1443604 Share on other sites More sharing options...
eMonk Posted August 6, 2013 Author Share Posted August 6, 2013 Ah, I believe I understand it now. The use of bind_param is for the values stored within a table. Thanks! Link to comment https://forums.phpfreaks.com/topic/280872-switching-to-mysqli_prepared-statements/#findComment-1443609 Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.