Parameterized Queries?

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
trent2800
Forum Commoner
Posts: 48
Joined: Mon Oct 02, 2006 7:02 am

Parameterized Queries?

Post by trent2800 »

I searched the site for this topic, I would assume that it would be a popular one. I dont know what happened but it pulled up 1,900 threads and none of the first 50 or so had anything to do with Parameterized Queries. Anyways, Im sure you've already answered a hundred of these questions, but what is the PHP equivelant of Parameterized Queries? I can only find refrences to this in ASP. Also, is this truely the prefered method?
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

I believe it's Prepared Statements, is the more industry-wide term. It is individual to the databases most often, so I'm not sure why this is in security.
trent2800
Forum Commoner
Posts: 48
Joined: Mon Oct 02, 2006 7:02 am

Post by trent2800 »

I posted this in security because, according to my research, the primary benefit to "Prepaired Statements" is security. If you use this, you essentally remove the possibility of sql injection. Like I said though, I've only done cursory research on this topic. What I'm looking for is, in everyones' professional opinions, is this superior to escaping characters. (mysql_real_escape_string, addslashes, etc...)
User avatar
Ambush Commander
DevNet Master
Posts: 3698
Joined: Mon Oct 25, 2004 9:29 pm
Location: New Jersey, US

Post by Ambush Commander »

Yeah, prepared queries make it (usually) impossible to perform SQL injection attacks. But the same applies to any DB abstraction/wrapper class that emulates query binding. It really all depends on what your system supports.
trent2800
Forum Commoner
Posts: 48
Joined: Mon Oct 02, 2006 7:02 am

Post by trent2800 »

Yeah, I just looked... and my host has php 4.4.4 .... crappy. Im going to complain. What can I do in this situation? Just rely on mysql_real_escape_string() ?
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

4.4.4 isn't crappy. It's the latest in the 4 branch.

mysql_real_escape_string() is one to use when dealing directly with MySQL, however there are libraries such as ADOdb and ADOdb Lite which provide a rough approximation to prepared statements.
Post Reply