[nycphp-talk] mysqli_statement_prepare() vs PearDB::prepare()
Adam Maccabee Trachtenberg
adam at trachtenberg.com
Sun Apr 17 13:20:22 EDT 2005
On Sun, 17 Apr 2005, csnyder wrote:
> Is this a feature limited to Pear DB's prepare() method, and not
> generally applicable to other database interfaces, such as mysqli?
No. It is available in mysqli.
> Neither the PHP Manual nor the MySQL C API documentation mentions
> anything about escaping values that are bound to prepared statements.
> Take, for example, the following snippet:
>
> $stmt = $mysqli->prepare( "INSERT INTO Animals VALUES (?, ?)" );
> $stmt->bind_param( 'ss', $_GET['name'], $_GET['taxonomy'] );
>
> Is this safe as is, or should the code be converted to:
It is safe from SQL injection. However, one should always be valiating
external data to see that if falls within the general category of data
that you're expecting, but I know you know this. :)
> Bonus beer question -- if prepared statements don't automatically
> sanitize values being passed to the database, what is the point of
> using them?
Speed. The DB only has to prepare the query once, so if you make
multiple INSERTs (as the in the example above), they will be faster.
-adam
PS: I will once again shamelessly plug "Upgrading to PHP 5", its five
star Amazon rating, and its Amazon sales ranking in the
150,000s. Trust me when I say there's useful stuff there that's not
well-documented in other places. :)
--
adam at trachtenberg.com | http://www.trachtenberg.com
author of o'reilly's "upgrading to php 5" and "php cookbook"
avoid the holiday rush, buy your copies today!
More information about the talk
mailing list
Automatic Email Organization without missing anything!