4

I'm new to php and PDO ,so i read this response to a similar post->

Does PDO really not use prepared statements with mysql? Yes, by default (at least with version I tested) but native mode can be turned on manually. If not, can it be forced to do so By employing PDO::ATTR_EMULATE_PREPARES setting, the name is pretty self-explanatory. $dbh->setAttribute( PDO::ATTR_EMULATE_PREPARES, false ); should you do that? That's hardest question of them all. Well, I'd say - yes, you should. If you choose PDO as your db driver, there is no point in using it in the emulation mode.
Your Common sense

Aren't prepared statements secure from SQL injection, why change if from 'true'->false?? what is native mode??

Community
  • 1
  • 1
RhodosCoder
  • 117
  • 1
  • 9
  • This question and its answers might also help: http://stackoverflow.com/questions/10113562/pdo-mysql-use-pdoattr-emulate-prepares-or-not – ComFreek Nov 01 '13 at 22:26

2 Answers2

3

I've changed my mind since then.

First of all, every mode is equally safe.
It is not native binding that makes prepared statement safe, but general principle of parameterized statement, which does complete formatting and thus producing invulnerable query.

So, I'd rather keep emulation mode on, as it makes more sense with average web usage and allows minor conveniences, such as more sensible error messages (with data actually substituted in the query) or multiple placeholders with same name.

The only reason to change from emulation to native mode is another benefit of prepared statements - a possibility to execute once prepared statement multiple times. But, as mentioned above, it seldom needed.

Your Common Sense
  • 156,878
  • 40
  • 214
  • 345
  • 1
    If the two modes are equally safe, then why would you say it's better to keep emulation mode on? Just to avoid two round trips when a query is executed only once? That would be a legitimate reason, I'm just asking. – Bill Karwin Nov 01 '13 at 22:01
  • @BillKarwin Actually, I don't find extra roundtrip that importan too. It's rather Occam's razor that cuts it out. Also, minor convenience as emulation mode lets multiple placeholders with same name. – Your Common Sense Nov 01 '13 at 22:07
  • @BillKarwin Thanks for mentioning the `two roundtrip`s. Do you agree that both methods are equally the same from the security sight of things? Maybe I'm too paranoid but I would turn emulation off (if possible) – hek2mgl Nov 01 '13 at 22:21
  • PDO is quite mature and reliable now, so I agree with @YourCommonSense on this one - don't think there's a significant risk as long as you don't use an ancient version of PHP. If you're paranoid and want redundant safety, you can *also* do filtering or whitelisting on application variables before you pass them as parameters. – Bill Karwin Nov 01 '13 at 22:42
-5

depending on what is most important for you - easy coding and few line or a proper way to do it an to avoid sql injection. as far as you do not work with huge database it has no effect on speed so better to leave it avay you can code like

$result = $this->db->select('SELECT * FROM tbl_users WHERE login = :login AND password = :password', $arraiul);

or like that

function editusers(){
        $id = $_POST['id'];
        $name = $_POST['name'];
        $login = $_POST['username'];
        $password = $_POST['password'];
        $email = $_POST['email'];
        $power = $_POST['power'];
        if ($password ==''){
            $sqlstm = "UPDATE tbl_users SET name='$name', login='$login', email='$email', power='$power' WHERE id='$id'";
        } else {
            $sqlstm = "UPDATE tbl_users SET name='$name', login='$login', password=MD5('$password'), email='$email', power='$power' WHERE id='$id'";
        }
        $sth = $this->db->prepare($sqlstm);
        $sth->execute();        
    }
enter code here
user2920871
  • 1
  • How does this answer the question? – hek2mgl Nov 01 '13 at 21:55
  • 5
    Also, this answer is highly vulnerable to SQL injection, by interpolating content from $_POST variables directly into SQL. It's bad practice to show bad practices in answers. – Bill Karwin Nov 01 '13 at 22:00