[nycphp-talk] mysqli_statement_prepare() vs PearDB::prepare()
Adam Maccabee Trachtenberg
adam at trachtenberg.com
Sun Apr 17 13:20:22 EDT 2005
On Sun, 17 Apr 2005, csnyder wrote:
> Is this a feature limited to Pear DB's prepare() method, and not
> generally applicable to other database interfaces, such as mysqli?
No. It is available in mysqli.
> Neither the PHP Manual nor the MySQL C API documentation mentions
> anything about escaping values that are bound to prepared statements.
> Take, for example, the following snippet:
>
> $stmt = $mysqli->prepare( "INSERT INTO Animals VALUES (?, ?)" );
> $stmt->bind_param( 'ss', $_GET['name'], $_GET['taxonomy'] );
>
> Is this safe as is, or should the code be converted to:
It is safe from SQL injection. However, one should always be valiating
external data to see that if falls within the general category of data
that you're expecting, but I know you know this. :)
> Bonus beer question -- if prepared statements don't automatically
> sanitize values being passed to the database, what is the point of
> using them?
Speed. The DB only has to prepare the query once, so if you make
multiple INSERTs (as the in the example above), they will be faster.
-adam
PS: I will once again shamelessly plug "Upgrading to PHP 5", its five
star Amazon rating, and its Amazon sales ranking in the
150,000s. Trust me when I say there's useful stuff there that's not
well-documented in other places. :)
--
adam at trachtenberg.com | http://www.trachtenberg.com
author of o'reilly's "upgrading to php 5" and "php cookbook"
avoid the holiday rush, buy your copies today!
More information about the talk
mailing list