Reputation: 3829
SQL Injection: Which statement can prevent better SQL injection
I am using PDO statement as below
select * from `admine_user` where `user_id` = ? and passw = ?
$resultfm1 = DB::instance()->prepare($query)->execute
(array($escapedid,$hashedpass))->fetchAll();
I am thinking to use
select * from `admine_user` where `user_id` = :user and passw = :pwd
$resultfm1 = DB::instance()->prepare($query)->execute
(array(":user"=>$escapedid,":pwd"=>$hashedpass))->fetchAll();
Out of above statements which is better to use which can prevent SQL injection effectively as now i can not use mysql_real_escape_string
Upvotes: 1
Views: 75
Answers (1)
Reputation: 562651
MySQL only supports positional parameters (the ? placeholders), so PDO internally converts named parameters into positional parameters during the prepare step.
So in fact both styles ultimately do the same thing with respect to MySQL.
Also, "emulated prepares" doesn't actually do anything in the prepare step, it just saves the query string. When you execute, you supply values and they are interpolated into the query and then submitted to MySQL. If you don't trust this process, then disable emulated prepares.
This is not to say that PDO does anything unsafe, although early versions of PDO had some bugs.
Just make sure you're using a current version of PDO (basically anything in PHP 5.3 or newer), and then both styles are as safe as one can be.
Notwithstanding any regression bugs that may occur after I write this...
Upvotes: 5
Related Questions
- A safer PDO::prepare?
- How to avoid mysql injections using PDO
- SQL Injections PDO Protect
- What is the best practice to prevent SQL injection here?
- Which PDO bind approach should be used for greater security?
- Is this code safe from SQL injection
- pdo to prevent sql injection
- Preventing SQL injections in 2012
- Will this prevent SQL Injections?
- How can I make a query completely SQL-injection-safe with PDO?