Reputation: 6188
Preventing SQL injections in 2012
I've had a good read with this question mysqli or PDO - what are the pros and cons?. But I think it's a bit dated. Are prepared statements still the best solution against injections?
I'm going to create a new php interface to access my mysql database so I want to get it right from the start.
Also doesn't pdo slow your query's down a lot?
Upvotes: 0
Views: 224
Answers (1)
Reputation: 318468
Use prepared statements/parametrized queries. This is completely safe since you do not mix SQL with data in the same string and you don't have to think about escaping anymore. At least if you don't start making your column/table names dynamic in a way users can modify them.
The advantages you get by using PDO us absolutely worth the minimal performance loss.
Upvotes: 7
Related Questions
- Creating parameters to stop sql injection
- How to avoid mysql injections using PDO
- SQL injection prevention on dynamic parameters
- SQL Injections PDO Protect
- PDO - connection - how to protect
- How can I make this query injection-proof? (PHP)
- pdo to prevent sql injection
- Will this prevent SQL Injections?
- How can I make a query completely SQL-injection-safe with PDO?
- Preventing SQL injection using ONLY php