0
$stmt_update = $db->prepare("UPDATE 2_1_journal SET RecordDay = ?,  WHERE Number = ? ");
$stmt->execute(array($amount1, $date_day1));

Is this safe against mysql injections?

If safe, as I understand it is because of "= ?". Then question how "= ?" works/helps

Question is because here http://php.net/manual/en/pdo.prepare.php is written

Prepared statements only project you from SQL injection IF you use the bindParam or bindValue option.

For example if you have a table called users with two fields, username and email and someone updates their username you might run

UPDATE `users` SET `user`='$var'

where $var would be the user submitted text.

Now if you did

<?php
$a=new PDO("mysql:host=localhost;dbname=database;","root","");
$b=$a->prepare("UPDATE `users` SET user='$var'");
$b->execute();
?>

and the user had entered User', email='test for a test the injection would occur and the email would be updated to test as well as the user being updated to User.

In my code (above) there is no bindParams and no bindValue. So do not know if it is safe and if yes, then what part of code ensures it. Please, advice

Update

After reading this How can I prevent SQL injection in PHP? have got one more question

Does this code 

$stmt = $pdo->prepare('SELECT * FROM employees WHERE name = ?');
$stmt->execute(array($name));

the same as this?

$stmt = $pdo->prepare('SELECT * FROM employees WHERE name = :name');
$stmt->execute(array(':name' => $name));

If yes, then seems it is better to use first code because it is shorter?

Community
  • 1
  • 1
user2232696
  • 494
  • 2
  • 6
  • 14

2 Answers2

1

Yes, prepared statements are always safe from inject attacks as long as there are no logical flaws, such as using name = '?'.

bindParam is really helpful when you want to bind different datatypes; such as string, integer etc in the query. For eg:

$stmt = $pdo->prepare('SELECT * FROM employees WHERE myID = ?');
$stmt->bindParam( 1, $id, PDO::PARAM_INT );
$stmt->execute();
hjpotter92
  • 78,589
  • 36
  • 144
  • 183
  • If you disable emulated prepared statements even queries with "logical problems" are safe, they'll just produce invalid queries. – deceze May 04 '13 at 07:14
0

Prepared statements only project you from SQL injection IF you use the bindParam or bindValue option.

Manual is incorrect here. Passing data into execute() is safe as well. The main thing is using a placeholder to represent the actual data in the query. As long as you're using a placeholder instead of the actual data - you are safe. However, PDO doesn't offer you placeholders for the everything you can add into query, identifiers for example.

Does this code the same as this?

Yes.
Named placeholders are just a "syntax sugar" for a regular ones.
Technically they are the same in either way - so, it's only a matter of taste.
Personally I prefer regular question mark placeholders as they indeed makes the code dramatically shorter, while named placeholders makes it bloated with no benefit.

Your Common Sense
  • 156,878
  • 40
  • 214
  • 345