[nycphp-talk] mysqli_statement_prepare() vs PearDB::prepare()
csnyder
chsnyder at gmail.com
Sun Apr 17 12:39:48 EDT 2005
I'm that familiar with the concept of prepared queries, but I was
under the impression that one of the main benefits of using them is
that the values being bound to the statement are automatically typed
and escaped.
Is this a feature limited to Pear DB's prepare() method, and not
generally applicable to other database interfaces, such as mysqli?
Neither the PHP Manual nor the MySQL C API documentation mentions
anything about escaping values that are bound to prepared statements.
Take, for example, the following snippet:
$stmt = $mysqli->prepare( "INSERT INTO Animals VALUES (?, ?)" );
$stmt->bind_param( 'ss', $_GET['name'], $_GET['taxonomy'] );
Is this safe as is, or should the code be converted to:
$name = mysqli->real_escape_string( $_GET['name'] );
$taxonomy = mysqli->real_escape_string( $_GET['taxonomy'] );
$stmt = $mysqli->prepare( "INSERT INTO Animals VALUES (?, ?)" );
$stmt->bind_param( 'ss', $name, $taxonomy );
Bonus beer question -- if prepared statements don't automatically
sanitize values being passed to the database, what is the point of
using them?
--
Chris Snyder
http://chxo.com/
More information about the talk
mailing list