CODEWITHSUNDEEP
phpmysql
jerrygarciuh
jerrygarciuh

Reputation: 21988

PHP Prepared Statements without mysqli or PDO

Is it possible to use prepared statements using the deprecated mysql extension in PHP? I have a server that will not be getting mysqli or PDO anytime soon and need to do RLIKE lookups against user supplied text. mysql_real_escape_string() will be used but I was concerned that it would be insufficient.

Upvotes: 2

Views: 1181

Answers (2)

Bill Karwin
Bill Karwin

Reputation: 562260

Here's a PHP script, using the deprecated mysql API, that demonstrates using PREPARE and EXECUTE. I tested this with PHP 5.3.15 and MySQL 5.5.29 and it works for me. However, I don't recommend it.

<?php

$x = 3;
$y = 4;

mysql_connect('localhost', 'root', 'xxxx') or die(mysql_error());
mysql_select_db('test');

mysql_query("SET @sql = 'SELECT SQRT(POW(?,2) + POW(?,2)) AS hypotenuse'");
mysql_query("PREPARE stmt FROM @sql");
mysql_query("SET @x = $x"); // SQL injection!
mysql_query("SET @y = $y"); // SQL injection!
$result = mysql_query("EXECUTE stmt USING @x, @y");
while ($row = mysql_fetch_assoc($result)) {
  print $row["hypotenuse"] . "\n";
}

mysql_close();

As I noted in the comments, this sort of misses the point of prepared queries, because you have to interpolate possibly untrusted content into your SET statements.

You really should fix your PHP installation and enable the mysqli or the PDO_mysql extensions, so you can use real API-level prepare and execute.

Upvotes: 2

Jakub Matczak
Jakub Matczak

Reputation: 15656

Take a look at this: http://dev.mysql.com/doc/refman/5.0/en/sql-syntax-prepared-statements.html

You have there the SQL syntax for prepared statements with manual param binding.

Upvotes: 0

Related Questions