0

I have been programming php for quite some time now. But unfortunately I lack the profound understanding of few things, and I'm trying to make up for that.

I have asked a few specific questions like how to do this, how to do that, and always focused on achieving things with code rather than just learning for deeper understanding. so this is the first time I ask such an "open" question like this.

I'm planning to create an OOP system with PHP. I'm trying to put everything I have learned thus far into this system. Using the best practices and skills I have acquired up until this moment. The point I'm looking to learn more about is my system Mysqli DB handler.

Rather than just ask questions I will also try answer them myself, so maybe you are kind enough to give me feedback on my way of thinking or confirm the information I have gathered from different resources before asking here.

My first question is why do I need a DB handler class?

So far, I have been calling normal (raw) mysqli statments in my Models (classes) without the need of a handler. But I have seen many systems using a DB handler class. My conclusion is, it saves time. You can write and manipulate MySQL statements quicker than writing them as raw. Is this the only advantage? Another advantage I might think of is safety. I can validate the parameters in my Handler class, and since the validation happens in one place it's more safe, than having to validate parameters in multiple places, increasing the chance of forgetting to validate a parameter or such...

My Second question is, What is exactly preparing a mysql statement, and how does it eliminate the risk of mysql injection? (What is special about it's working that it's different that writing the parameter right into the raw query?)

My Third question is, is PDO required to parameterize queries? A friend of mine told me I must install PDO driver if I want to prepare statements properly. But after researching some, I saw that mysqli has the same ability to prepare and bind parameters to the statements. Is there credibility to his claim?

My 4th question is, according to your experience, can you suggest a good Mysqli DB handler library that is open to be shared and used in my project, also that I can learn from?

I know I have asked many questions, and I REALLY appreciate your time and reply in advance!

Thank you very much.

ShadyAF

shadyhossin
  • 575
  • 1
  • 6
  • 16

1 Answers1

0
  1. You don't need a DB class handler, you can implement if you want but it is not a need.

  2. What is exactly preparing a mysql statement ?
    SQL Syntax for Prepared Statements
    Prepared Statements
    How can I prevent SQL-injection in PHP?

  3. PDO is not the only extensions that offers prepared statment. You can do it with mysqli see mysqli_prepare. This claim is wrong.

  4. According to my experience, PDO is better than mysqli but either way I would use them raw because I came to the conclusion that such classes just limit you. If you want to use one you can always write your own (not recommended), google or ask on software-recs.
  5. (Bonus :D)I think what you are really looking for is a framework. I would suggest Zend or Laravel.
Community
  • 1
  • 1
meda
  • 45,103
  • 14
  • 92
  • 122
  • I understood now why prepared/parametrized queries are secure from mysql injection. Other things are becoming clearer as I'm doing my best to gather resources as waiting for personal feedbacks here on the forum. Thanks for the framework suggestion. I would like not to use a framework (As of yet at least). I could be mistaken, but in order to have deeper understanding. I should try create my own framework. To understand the inner workings and profounds of the language/programming in general. It might be stupid trying to re-invent the wheel. But learning is my goal before the project itself. – shadyhossin Dec 14 '14 at 20:26