Jump to content

php, mysql and bind variables

mkosmosports

By mkosmosports
in PHP Coding Help

 Share

Recommended Posts

mkosmosports Regular Member

mkosmosports

Posted
Posted

Hey,

 

A database admin using Oracle spoke to me yesterday about his golden rule being to always use bind variables and never hardcoding in a sql query. (to prevent sql injection, and secure the db better)

 

Ive found very little regarding the support for this in mysql. Is it available? And if it, is it a good solution? Does anyone have any experience with it and can give me some pointers or refer me to some online info?

 

Any suggestions appreciated!

 

Thanks.

Mkosmosports

 

 

 

 

Link to comment
Share on other sites
mkosmosports Regular Member

mkosmosports

Posted
  • Author
Posted

Ive found some tutorials on mysqli, so Im going through those right now. If someone has some experience with this though, I would still love it if you shared them with me.

 

It seems the mysqli class offers big advantages if you want to get the most out of mysql. One major question I have then is, why is it so rarely used? (It seems to me it is) Is there any disadvantages to it?

 

Thanks.

Link to comment
Share on other sites
Aureole Advanced Member

Aureole

Posted
Posted

Well I don't know anything about MYSQLI but you said Class... and I'm thinking Class as in OOP and most people don't like OOP 'cause it's more complicated than normal PHP and MYSQL by default is quite easy to use...

 

You did mean that kind of Class, right?

 

Anyway I'm interested, if you find out any information let me know via PM or something. ;)

Link to comment
Share on other sites
mkosmosports Regular Member

mkosmosports

Posted
  • Author
Posted

Yes Aureole, I did mean class as in OOP, and sure, I will PM you with any good info on it.

 

Personally, the main reason I want to use it, is to use bind variables (which are available from mysql 5 onwards from what I read), which I heard are the best and easiest way to prevent SQL injection. Here's the first mysqli tutorial I found:

 

http://www.phpfever.com/mysqli-tutorial.html

Link to comment
Share on other sites
mkosmosports Regular Member

mkosmosports

Posted
  • Author
Posted

Hmmm, Ive found some more resources on this and you can prepare statements with bind variables using the following mysqli function:

 

http://us3.php.net/manual/en/function.mysqli-stmt-bind-param.php

 

Based on comments in that manual and some other resources Ive found it seems this is still quite unstable, so I think Im gonna revert back to using mysql_real_escape_string().

Link to comment
Share on other sites
This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.