php, mysql and bind variables

[mkosmosports]

Hey,

 

A database admin using Oracle spoke to me yesterday about his golden rule being to always use bind variables and never hardcoding in a sql query. (to prevent sql injection, and secure the db better)

 

Ive found very little regarding the support for this in mysql. Is it available? And if it, is it a good solution? Does anyone have any experience with it and can give me some pointers or refer me to some online info?

 

Any suggestions appreciated!

 

Thanks.

Mkosmosports

 

 

 

 

[mkosmosports]

*bump* *bump*

 

I found out using bind variables is possible through the mysqli extension. Now, I still wanna know if anyone has any experience with this? Is mysqli a robust extension? Any tutorials on it and bind variables?

 

Thanks!

[MasterACE14]

for tutorials just google it. 

[Aureole]

I think the OP stated that he already searched and couldn't find any information. While most of the time the answers to your questions can be found using Google, it isn't always true.

 

Ive found very little regarding the support for this in mysql.

[mkosmosports]

Ive found some tutorials on mysqli, so Im going through those right now. If someone has some experience with this though, I would still love it if you shared them with me.

 

It seems the mysqli class offers big advantages if you want to get the most out of mysql. One major question I have then is, why is it so rarely used? (It seems to me it is) Is there any disadvantages to it?

 

Thanks.

[Aureole]

Well I don't know anything about MYSQLI but you said Class... and I'm thinking Class as in OOP and most people don't like OOP 'cause it's more complicated than normal PHP and MYSQL by default is quite easy to use...

 

You did mean that kind of Class, right?

 

Anyway I'm interested, if you find out any information let me know via PM or something.

[mkosmosports]

Yes Aureole, I did mean class as in OOP, and sure, I will PM you with any good info on it.

 

Personally, the main reason I want to use it, is to use bind variables (which are available from mysql 5 onwards from what I read), which I heard are the best and easiest way to prevent SQL injection. Here's the first mysqli tutorial I found:

 

http://www.phpfever.com/mysqli-tutorial.html

[Aureole]

Thanks for the link I'll read up on it.

[mkosmosports]

Hmmm, Ive found some more resources on this and you can prepare statements with bind variables using the following mysqli function:

 

http://us3.php.net/manual/en/function.mysqli-stmt-bind-param.php

 

Based on comments in that manual and some other resources Ive found it seems this is still quite unstable, so I think Im gonna revert back to using mysql_real_escape_string().

[mkosmosports]

It seems I have found a stable and solid solution to this. The PDO class. For those interested, this seems like a great solution to bettered performance and the painful security headache which is SQL injection:

 

MySQL 5+ and PHP 5+ is required here..

 

http://www.php.net/pdo