Menu
Hi,
I searched many forums about prepared statements security and it appears that they are “much safer” than regular SQL queries.
But why would prepared statement be safer since, no matter what you do, you’re always gonna have to take the user’s input into the database. Prepared statement are supposed to prevent that, but how can you possibly prevent that?! It seems impossible to me beginner!
Do you think using mysql_real_escape_string() with regular query is just as safe as prepared statements?
Thanks in advance!
[I]I feel like I've become a PDO salesman! ?[/I][/QUOTE]
I've seen systems that their db classes already did the parameter massaging for you when you do the prepared statement. However, I still prefer massaging the data myself. If they have it in the deeper levels that's great. Double security[/QUOTE]
I have already programmed a significant part of my application, using regular mysql_* functions. Do you think it's gonna be a hassle to change all the php code to prepared statements and PDO?[/QUOTE]
I don't exactly understand the "procedural" term. I don't think what I'm doing is object oriented, because I haven't created objects.
My application is a sort of e-commerce application with a database (with data such as users, personal details, sold items, categories etc..). And in my scripts, I'm using very simple database connection, with mysql_* functions. I escape using mysql_real_escape_string().
I use those SQL queries for very simple tasks, such as displaying categories, items, personal details etc...
I try to write the application as simply as possible.
Is this procedural?
What would you recommend?
Thanks for your help
Eric[/QUOTE]
Thanks a lot kristovaher for your explanation. It introduced me to new concepts that I need to research.
I am obviously a beginner but I am really willing to learn how to program powerful stuff, acquire new knowledge, have good practices etc.. I don't like avoiding difficulties because I feel I'm missing out great stuff to learn.
Even though my application is not gonna be that big, (I'll use PHPmailer and that PEAR image resizing class, forgot the name) I want to make the best application I can. I am currently going through PDO and prepared statement tutorials. Is there any other concept that I should look at after that?
Thanks again, your help is very much appreciated.[/QUOTE]
0.1.9 — BETA 4.28