-2

I have read the following post, and have some questions: How can I prevent SQL injection in PHP?

I see you can choose between PDO and MySQLi. Is there any difference, and how do I choose between them?

In the example code they use :name for PDO queries and ? for MySQLi. What shall I replace those with? Just a PHP variable?

Finally, how do I prepare to begin using PDO on my website? Is there any thing I need to install or add, or can I just begin, and use the same code as provided in the examples?

Thank you

Community
  • 1
  • 1
user3707440
  • 195
  • 1
  • 1
  • 8
  • 1
    This is too broad and a duplicate of multiple questions – John Conde Jun 27 '14 at 19:10
  • 3
    In the example code, `:name` and `?` are placeholders. You don't replace them with anything... that's how you use a parameterized query. The whole point here is to separate the command from the data. When data is ambiguous with the command, bad things can happen. Beyond that, it doesn't matter which API use from an injection standpoint. – Brad Jun 27 '14 at 19:11
  • 1
    You're asking for opinions, and things that obviously indicate that you have no idea what an injection problem actually looks like. You need to actually LEARN all about it, and not just recognize buzzwords. – Marc B Jun 27 '14 at 19:11
  • PDO can use unnamed ('?') parameters as well. – Marcus Adams Jun 27 '14 at 19:15

2 Answers2

2

Go with PDO, you'll be glad you did.

Back in ancient times of PHP 5.0, Mysqli was part of PHP, but PDO had to be installed separately from PECL.

Since PHP 5.1, PDO has been part of the standard PHP extensions. Both should be available on any modern PHP installation. I've heard of a few hosting companies that still don't enable PDO, but IMHO that indicates the hosting provider isn't keeping up with modern software, and it's a reason to switch to a different hosting provider, not a reason to use Mysqli.

PDO has only an object-oriented usage, whereas Mysqli supports both procedural and object-oriented usage.

PDO supports multiple drivers for different brands of RDBMS, whereas Mysqli of course is only for MySQL.

There are a few cases where writing code in PDO is simpler. For example if you're coding a general-purpose function to insert into any table, with a variable number of columns, it's easier to pass an array of parameters to a prepared statement with PDO than the gymnastics you have to do with Mysqli.

Bill Karwin
  • 538,548
  • 86
  • 673
  • 828
0

PDO, mysqli - extension for php. They usually installed for php5. If not, read this: How to install MySQLi

You can use prepared statements, also can use a simple queries with escaping functions (for pdo - PDO::quote(), for mysqli - mysqli::escape_string()). I'm using mysqli coz I like it.

For using prepared statements, there are a irrefragable answer, I think: PHP PDO prepared statements

Community
  • 1
  • 1
deniskoronets
  • 520
  • 3
  • 15