Must parameter binding be safer (PDO)

Question

I'm making PHP-code, and use database, MySql. I wonder about parameter binding, and here is an example with a field (pw) excluded;

If the user sends a username via form, and it comes as POST

$username = $_POST["username"];

and then is used to log in;

$query = "SELECT * FROM users WHERE username = :username";

then

$stmt = $conn->prepare($query);
$stmt->bindParam(":username", $username);

Has there been any protection? I mean compared to using the POST variable directly.

Greetings

score 0 · Accepted Answer · answered Feb 04 '17 at 10:08

0

It makes no difference whether you use:

$stmt->bindParam(":username", $username);

or

$stmt->bindParam(":username", $_POST['username']);

They both contain the same value, and binding them to the parameter is exactly the same.

The protection comes from binding the parameter with a prepared statement, not the choice of variable to bind it to.

answered Feb 04 '17 at 10:08

Barmar

Yes, I meant that, does it make any differance from using a raw sql query instead of binding. – Valter Ekholm Feb 05 '17 at 10:19
Yes, definitely. See http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php?s=2|37.5876 – Barmar Feb 06 '17 at 01:58

1 Answers1