mysqli bind param data types

Question

I’m currently working on a small set of database access and management classes in php. while trying to understand our well known mysqli better, I still fail to understand why and how variable-types defined in mysqli_stmt::bind_param could and would enhance security/utility within the current application.

The advantages of having a mysql statement going on are clear. Query and values are submitted on two different paths and that of course makes the application more secure and more error proof! But what happens to these variables… are these checked prior by php or after on in mysql?

Is it just mysqli being lazy for doing something like?

!is_numeric($v) && ( !is_null($v) || $v != “NULL”) ? “‘$v’” : $v 

Or is there any var type definition on the mysql side which I don’t know?

“PREPARE stmt_name FROM … “;
“SET @var1 = 3”;
“SET @var2 = ‘foo’”;
“EXECUTE stmt_name USING @var1, @var2”;

It doesn’t seem there’s much going on this values. quite anything passed as a string is evaluated properly… then why bother?

There’s another side-question even though related to this one: is there any way to replicate mysqli’s way of sending blob string in packets?

Thanks bye

Answer 1

As nobody has given an answer yet... i do have one now! The data-type definition within bind_param does noting more than adding those quotes to the query, although, variables are bound at a lower level than a php script could be ever capable of! formally going though any different path apart from mysqli/pdo would mean to transfer all the data by strings!

thats it, cheers!