PHP PDO Bind or Execute

Asked Feb 15 '18 at 17:15

Active Feb 15 '18 at 17:19

Viewed 40 times

I have a simple question:

Which version is the correct one for preventing SQLi ?

$db_request = $db->prepare( "UPDATE users SET active = 0 WHERE id = ? AND active = ?" );

$db_request->execute( array( $uid, $hash ) );

using bindParam ?

Thanks for your time!

LE: ? = input from user

edited Feb 15 '18 at 17:19

asked Feb 15 '18 at 17:15

adi pslr

As long as you don't explain what is coming instead of the '?' chars in your SQL statement, it is impossible for us to know if injection is possible. – Pierre François Feb 15 '18 at 17:18
input from user – adi pslr Feb 15 '18 at 17:19
what do you mean by `preventing SQLi `??? – Rotimi Feb 15 '18 at 17:19
1

Potaytoe, potahto. – Funk Forty Niner Feb 15 '18 at 17:19
Both will work the same as far as injection prevention goes. There might be some other differences, take a look at the suggested duplicate for more information. – ishegg Feb 15 '18 at 17:20
with `bindParam()` , you can specify the data type in the third parameter. – Rotimi Feb 15 '18 at 17:20

0 Answers0