HauntedDawg Posted October 16, 2013 Share Posted October 16, 2013 Alright.. *rephrases* My work is secured against threats I know how to secure against Prepping statements is still not currently necessary, whether or not I'm setting myself up for future failure :P Although this is not intended on telling you what to do. But you should really consider using prepared statements on any input data. Although you state you are securing against what you know. There are many other hacks that you do not know of, and those will bite you directly between your legs down the line. Not sure if you have looked into it, but it's pretty easy. $prep = $db->prepare('INSERT INTO `table` (`column1`, `column2`,`column3`) VALUES(?, ?, ?)'); $prep->bind_param('sss', $_GET['column1'], $_GET['column2'], $_GET['column3']); $prep->execute(); $prep->close(); And that will take care of any sql injections i know of, and that i do not know of. Just a thought to take in :) Quote Link to comment Share on other sites More sharing options...
Dayo Posted October 16, 2013 Share Posted October 16, 2013 (edited) I now use PDO as a standard at work and for personal projects for the reasons stated before, You are not just limited to a mysql database. But there are a few drawbacks of PDO one of which i encounter every day at work and that is the drivers for PDO on a Microsoft server + MsSQL are not the best in the world. i.e. you cant do this ... $db->prepare("UPDATE users SET cash=:cash WHERE cash<:cash"); Edited October 17, 2013 by Dayo Quote Link to comment Share on other sites More sharing options...
Seker Posted October 16, 2013 Share Posted October 16, 2013 I now use PDO as a standard at work and for personal projects for the reason stated before you are not just limited to a mysql database, but there are a few drawbacks of PDO one of which i encounter every day at work and that is the drivers for PDO on a Microsoft server + MsSQL are not the best in the world ie you cant do this Good God, man. PUNCTUATION! Quote Link to comment Share on other sites More sharing options...
Dayo Posted October 17, 2013 Share Posted October 17, 2013 :s i should really stop posting from my phone, thanks for the spot. Quote Link to comment Share on other sites More sharing options...
Alan Posted October 17, 2013 Share Posted October 17, 2013 $prep = $db->prepare('INSERT INTO `table` (`column1`, `column2`,`column3`) VALUES(?, ?, ?)'); $prep->bind_param('sss', $_GET['column1'], $_GET['column2'], $_GET['column3']); $prep->execute(); $prep->close(); And that will take care of any sql injections i know of, and that i do not know of.Yet with PDO it is *still* possible to leave yourself open to SQL injection; there are multiple instances where you cannot bind dynamic data - consider ORDER BY $expr LIMIT $offset, $count; you cannot IIRC bind those variables potentially leaving a nice hole as too often people assume that PDO is safe. Quote Link to comment Share on other sites More sharing options...
Magictallguy Posted October 19, 2013 Share Posted October 19, 2013 $prep = $db->prepare('INSERT INTO `table` (`column1`, `column2`,`column3`) VALUES(?, ?, ?)'); $prep->bind_param('sss', $_GET['column1'], $_GET['column2'], $_GET['column3']); $prep->execute(); $prep->close(); Yet with PDO it is *still* possible to leave yourself open to SQL injection; there are multiple instances where you cannot bind dynamic data - consider ORDER BY $expr LIMIT $offset, $count; you cannot IIRC bind those variables potentially leaving a nice hole as too often people assume that PDO is safe. Whereas, with standard procedural MySQLi_* functions, I can! *Anything* that the user can touch, I work on. I live by a "it doesn't have to look good, it just has to work well" system.. If a user can exploit my work, then it doesn't work well! Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.