0

I am no security expert. My knowledge extends as far as "always use prepared staemtens and bind any SQL query parameters which are taken from user input".

Like, I imagine, many others, I would very much like to debug my PDO queries right there in my PHP code.

PDO-DEBUG looks like a great solution, even if I would have to rewrite my queries.

My uncertainty is where it says

Your PDO block probably looks like this:

$sql = "INSERT INTO test (col1, col2, col3) VALUES (:col1, :col2, :col3)";

and this, right ?

$query->execute(array(':col1' => $param_1, ':col2' => $param_2, ':col3' => $param_3));

because mine doesn't. It looks like

$stmt = $conn->prepare("INSERT INTO test (col1, col2, col3) VALUES (:col1, :col2, :col3"));
$stmt->bind_param(":col1", $col1);     
$stmt->bind_param(":col2", $col2);     
$stmt->bind_param(":col3", $col3);
$stmt->execute();

(the syntax may be slightly wrong; I am doing it from memory, with no access to my code or a PHP interpreter).

My point is that preapre() and bind() perform some "magicks", and I would not trade the security which they provide for some nice debugging.

Should I be concerned? Or should I go ahead and us it?

Mawg says reinstate Monica
  • 38,334
  • 103
  • 306
  • 551
  • 2
    `bind_param` isn't PDO, it's mysqli_. PDO is `bindParam()`. – Funk Forty Niner Oct 14 '16 at 12:41
  • Thaks (+1) Like I said, I did that from memory. Can you please update the questoin for me? The point of the quesiton is the security of that approach, so I would not like to distract people from it with my poor coding skills. – Mawg says reinstate Monica Oct 14 '16 at 12:48
  • 1
    this stuff is irrelevant to PDO-DEBUG, it's native feature of PDO – Your Common Sense Oct 14 '16 at 12:52
  • Are you telling me that I lose no security if I use PDO-DEBUg as directed, as opposed to prepare() then bind() ? If so, please feel free to post an answer – Mawg says reinstate Monica Oct 14 '16 at 12:56
  • 1
    There's no difference in security whether you pass your arguments to `execute` or use `bind*()`, they're equally secure. The PDO-debug library merely needs the arguments in one array and doesn't accept them individually. FWIW, you can simply call it with `PdoDebugger::show($sql, ['col1' => $col1, ...])` without changing anything about your query. – deceze Oct 14 '16 at 12:59
  • 1
    No need to post the answer is linked already – Your Common Sense Oct 14 '16 at 13:00

0 Answers0