2

I've used a mysql_real_escape_string till now but it seems that It's not working at GoDaddy Hostings. How should I clean up the string for a database? I've found a PDO::quote but the manual says

"If you are using this function to build SQL statements, you are strongly recommended to use PDO::prepare() to prepare SQL statements with bound parameters instead of using PDO::quote() to interpolate user input into an SQL statement. Prepared statements with bound parameters are not only more portable, more convenient, immune to SQL injection, but are often much faster to execute than interpolated queries, as both the server and client side can cache a compiled form of the query."

Is that means that prepare + bind_params are doing the same thing? Sorry for my English.

Kirill Ivanov
  • 77
  • 1
  • 8
  • 1
    Exactly. With less code to write usually. – bwoebi Apr 21 '13 at 18:03
  • Is that means it would be safe to put a $_GET['xxx'] without any checks inside of PDO's bindParam? – Kirill Ivanov Apr 21 '13 at 18:20
  • One word is enough: yes – bwoebi Apr 21 '13 at 18:21
  • Query: `'?'` and `bind_params($value)` are enough to consider it as secure. – bwoebi Apr 21 '13 at 18:22
  • 1
    [mysql_real_escape_string **doesn't clean anything**](http://stackoverflow.com/a/9821406/285587). And this question is pretty much a duplicate of [How prepared statements can protect from SQL injection attacks?](http://stackoverflow.com/questions/8263371/how-prepared-statements-can-protect-from-sql-injection-attacks/8265319#8265319) – Your Common Sense Apr 21 '13 at 18:39

1 Answers1

1

Unfortunately, PHP manual often being unclear, wrong or deceiving.

Prepared statements with bound parameters are

  • more portable (not true)
  • more convenient (that's the only true statement),
  • immune to SQL injection (quote() makes things immune as well),
  • often much faster to execute (a mere lie)

So, you can use either way, but prepared statements let you have the shorter code:

$id   = $pdo->quote($id);
$name = $pdo->quote($name);
$stm  = $pdo->query("SELECT * FROM t WHERE id=$id AND name=$name");

vs.

$stm  = $pdo->query("SELECT * FROM t WHERE id=? AND name=?");
$stm->execute(array($id,$name));

Though that's not the only reason: please refer to some explanations I made on Why one should use prepared statements

Community
  • 1
  • 1
Your Common Sense
  • 156,878
  • 40
  • 214
  • 345
  • That's exactly what I want to ask PHP manual says that prepared statements should be used instead of a quote if I understand it right. Is that means that $name = $pdo->quote($name); would do the same as $stmt->bindParam(1, $name, PDO::PARAM_STR)? – Kirill Ivanov Apr 22 '13 at 09:08
  • Not quite. Although with default settings the resulting query would be the same, but with emulation mode turned off, [PDO will make it completely different way](http://stackoverflow.com/a/8265319/285587). Nevertheless, please refer to the link I added to my answer, explaining *real* reasons to use placeholders. Feel free to ask if you got any further questions. – Your Common Sense Apr 22 '13 at 09:24