0

Because of the performance reasons, I would like to ask if it's secure to use classic mysqli queries with WHERE variables, which come out of a MySQL database and are already retrieved via mysqli prepared query. All those variables are integers.

I am asking if SQL injection would still be possible?

120382833
  • 143
  • 1
  • 10
  • Why not always use prepared statements? Consistent coding will always be protective of your environment no matter where the data comes from. There is no performance loss with prepared statements and in many ways they're more efficient. – Jay Blanchard Oct 28 '16 at 19:46
  • It's simple, less lines of code and from what I read it's faster as well. Plus all input variables are already coming from a prepared statement query. – 120382833 Oct 28 '16 at 19:48
  • It is no less lines of code and its no faster. [As a matter of fact...](http://www.theserverside.com/news/1365244/Why-Prepared-Statements-are-important-and-how-to-use-them-properly), *"This means every iteration is sending the same statement to the database with different parameters for the `c=?` part. This allows the database to reuse the access plans for the statement and makes the program **execute more efficiently** inside the database. This basically let's your application run faster or makes more CPU available to users of the database."* – Jay Blanchard Oct 28 '16 at 19:50
  • Where did you read that "classic" queries are faster? That information is, in most cases, wrong. Less lines of code? Uhm... a prepared statement takes two lines of code, while a regular query takes one? That doesn't warrant an insecure solution using outdated syntax. – junkfoodjunkie Oct 28 '16 at 19:58
  • @junkfoodjunkie a prepared statement involves two round-trips to database, thus non-significantly slower. Not two but [five lines at the very least](https://phpdelusions.net/pdo/mysqli_comparison#column). Doesn't justify the OP's wishes but just for the clarity. – Your Common Sense Oct 30 '16 at 10:37
  • You're talking about mysqli_, not PDO. That's not my problem :) – junkfoodjunkie Oct 30 '16 at 11:17

0 Answers0