Sim Posted June 14, 2020 Posted June 14, 2020 How many MODDers here are opposed or against or not opposed and not against doing this? $insert = $this->db->prepare ("INSERT INTO tradeItems ( TI_tradeID, TI_userID, TI_invIDs ) VALUES ( '" . $ID . "', '" . $this->user->info->U_id . "', '" . $invIDs . "' )" ); $insert->execute(); Instead of binding every field. $insert->bindData(":ID", $ID); ECT, ect Quote
Magictallguy Posted June 15, 2020 Posted June 15, 2020 There's very little point in using prepared statements if you're not preparing them. I'm definitely against this method 2 Quote
Dave Posted June 15, 2020 Posted June 15, 2020 I agree with @Magictallguy if you aren't using the prepared statements then just do a straight up query. I typically don't prepare "safe" variables, like things directly pulled out of a database which have been correctly cast, but it's good practice to prepare everything just in case something slips through the gaps 🙂 Quote
Sim Posted June 15, 2020 Author Posted June 15, 2020 I'm not familiar with PDO. Prepare secures data while query just queries whatever data? Quote
Magictallguy Posted June 15, 2020 Posted June 15, 2020 No. Prepared Statements do not secure your data any more than a standard query would. It is on the developer (namely you) to use the functionality as intended. The most obvious difference (when coding) between PDO and, say, MySQLi is that using Prepared Statements negates the requirement for escaping data. Another benefit of PDO is that it isn't limited to the MySQL(i) driver; it can support 12 different DB drivers (at the time of writing) - which makes it highly adaptable and extensible. Use either properly and you should be good to go. 2 Quote
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.