Reputation: 30956
should I escape code stored in mysql db or use placeholders?
I just found out about placeholders in DBI https://metacpan.org/pod/DBI#Placeholders-and-Bind-Values and it seems to be handling various codes pretty well. Should I be forcing escape regardless? Are there any scenarios where the placeholders would fail based on the input?
Upvotes: 1
Views: 195
Answers (1)
Reputation: 4800
If you escape them and then use bound placeholders, they will end up double escaped, which is not what you want. Just use placeholders. (I frequently use them even when the input is trusted, because it looks cleaner.)
There is rarely a reason to use escaping instead of placeholders. An example would be dynamically generating and manipulating a query as an SQL string, but you really shouldn't do that anyway (there are plenty of libraries on CPAN for generating SQL).
The only example that I know of in which a placeholder would fail based on input that would not fail with string interpretation would be when you are interpolating column names from a string, LIMIT clauses, or some such (but again, that is dynamic generating SQL like I mentioned above.)
Placeholders >> manual escaping
Upvotes: 4
Related Questions
- When should you escape strings used in MySQL
- PHP MySQL how to properly store / escape string
- Is mysql_escape_string not supposed to be used at all? If not, what is the alternative?
- MySQL / PHP - Is this a good and secure way to escape in querys?
- gameplan for escaping php MySQL content
- Where to put "mysql_real_escape_string" in this code?
- How to know when escape is necessary for MySQL
- What's the best, Escape then store Or store then escape the output?
- What's the equivalent of escaping strings for MySQL database input in Perl?
- Best way to escape strings for sql inserts?