Page 1 of 1
Parameterized Queries?
Posted: Fri Dec 08, 2006 9:02 pm
by trent2800
I searched the site for this topic, I would assume that it would be a popular one. I dont know what happened but it pulled up 1,900 threads and none of the first 50 or so had anything to do with Parameterized Queries. Anyways, Im sure you've already answered a hundred of these questions, but what is the PHP equivelant of Parameterized Queries? I can only find refrences to this in ASP. Also, is this truely the prefered method?
Posted: Fri Dec 08, 2006 9:21 pm
by feyd
I believe it's Prepared Statements, is the more industry-wide term. It is individual to the databases most often, so I'm not sure why this is in security.
Posted: Fri Dec 08, 2006 9:43 pm
by trent2800
I posted this in security because, according to my research, the primary benefit to "Prepaired Statements" is security. If you use this, you essentally remove the possibility of sql injection. Like I said though, I've only done cursory research on this topic. What I'm looking for is, in everyones' professional opinions, is this superior to escaping characters. (mysql_real_escape_string, addslashes, etc...)
Posted: Fri Dec 08, 2006 10:55 pm
by Ambush Commander
Yeah, prepared queries make it (usually) impossible to perform SQL injection attacks. But the same applies to any DB abstraction/wrapper class that emulates query binding. It really all depends on what your system supports.
Posted: Fri Dec 08, 2006 11:05 pm
by trent2800
Yeah, I just looked... and my host has php 4.4.4 .... crappy. Im going to complain. What can I do in this situation? Just rely on mysql_real_escape_string() ?
Posted: Fri Dec 08, 2006 11:11 pm
by feyd
4.4.4 isn't crappy. It's the latest in the 4 branch.
mysql_real_escape_string() is one to use when dealing directly with MySQL, however there are libraries such as ADOdb and ADOdb Lite which provide a rough approximation to prepared statements.