Menu
Community /Pin to ProfileBookmark
@NogDogApr 12.2019 — #
Anyway, if I were writing the tutorial, I'd push users toward prepared statements first, and use PDO::query() only in simple cases where there is zero benefit to using a prepared statement.@NogDogApr 13.2019 — #Using bound parameters when executing a prepared statement automatically takes care of any escaping and quoting. PDO's option of using named place-holders makes it easy to see which parameter is used where in the query, as opposed to the only option in MySQLi of using "?" place-holders. Also, you can do the binding implicitly via an array parameter of the execute() method, helping to keep things clean.
@NogDogApr 14.2019 — #
Basically, yes. If you are using any variable values that have the slightest possibility of being insecure, then a prepared statement with bound parameters is the way to go, in my opinion. You can use PDO::query() if you also apply PDO::quote() to variable values and such, or cast to a proper numeric type if applicable -- but I find it's easier to just let preparing with bound parameters cleaner and less prone to error.
php pdo fetch and query
im doing a short tutorial on php pdo and the content isnt that detailed so i have some questions.
1. with the query and fetch functions. couldnt a user do sql injection? when youre inserting data theres the prepared statements which remove swl injection, what safeguards are there against that when querying?2. what is the advantage of using fetch in a while loop over just using a foreach loop with the query function?
Sign in
to post a comment7 Comments(s) ↴
0
@NogDogApr 12.2019 — #Anyway, if I were writing the tutorial, I'd push users toward prepared statements first, and use PDO::query() only in simple cases where there is zero benefit to using a prepared statement.
0
@NogDogApr 13.2019 — #Using bound parameters when executing a prepared statement automatically takes care of any escaping and quoting. PDO's option of using named place-holders makes it easy to see which parameter is used where in the query, as opposed to the only option in MySQLi of using "?" place-holders. Also, you can do the binding implicitly via an array parameter of the execute() method, helping to keep things clean.<i>
</i>$sql = "
SELECT * FROM my_table
WHERE foo = :foo and bar = :bar
ORDER BY foo
";
$stmt = $pdo->prepare($sql);
$stmt->execute(array(
':foo' => $_GET['foo'],
':bar' => $_GET['bar']
));
0
@NogDogApr 14.2019 — #>@coleio#1602768 am i correct in saying that query should only be used when you know data isnt dodgy?
Basically, yes. If you are using any variable values that have the slightest possibility of being insecure, then a prepared statement with bound parameters is the way to go, in my opinion. You can use PDO::query() if you also apply PDO::quote() to variable values and such, or cast to a proper numeric type if applicable -- but I find it's easier to just let preparing with bound parameters cleaner and less prone to error.