0

Right now I've been using something along the lines of:

$mysqli->prepare("INSERT INTO names VALUES('$name')");

Is this less safe than using bind_param/bind_value or does it not matter and it's the prepare itself that makes it safe?

I've always been curious, I think using bind_param/bind_value is safer but I don't really know. Sorry if this is a duplicate as I couldn't actually find any other question (I don't really know how to phrase this question, so that's probably why).

Matthew
  • 268
  • 1
  • 11
  • I started with the MySQLi extension very recently so I don't know too much about it, also if bind_param/bind_value is safer may you please explain why, thanks. – Matthew Aug 30 '14 at 04:59
  • 1
    That question may have answered my question, thanks. – Matthew Aug 30 '14 at 05:03

1 Answers1

1

The idea of prepared statements is, that you give the query string to the database, with gaps. The database can now interpret the query string and maybe optimize it. When you hand over the input to fill the gaps, the database does not try to interpret it. It just puts the input in the gaps.

If you put the input into the query string, the database can not see, if this is part of an input or part of the query sting and so it is possible, that the database interprets parts of the input as SQL code. This is called an SQL injection.

So: With

$mysqli->prepare("INSERT INTO names VALUES('$name')");

you loose every part of safety a prepared statement can offer.

AbcAeffchen
  • 14,400
  • 15
  • 47
  • 66