0

Please comment on the following code, I need to know if this is what you would consider a prepared statement. My server will not accept question marks as placeholders, it gives me an error when I tried so I ended up doing it this way which does work but I am concerned about getting hacked. Thank you in advance.

//
// Insert data into database
//
$sql = "INSERT INTO users (username) VALUES (:username)";                                         
$stmt = $link->prepare($sql);                                              
$stmt->bindParam(':username', $Param_username);
$Param_username = $username;              
$stmt->execute();
Barmar
  • 741,623
  • 53
  • 500
  • 612
Mike B
  • 15
  • 4
  • 1
    Yes, this is a normal prepared statement. – Barmar Jul 12 '18 at 22:06
  • As long as you don't have any variables in `$sql`, you're fine. – Barmar Jul 12 '18 at 22:06
  • 2
    Why won't your server allow question marks as placeholders? That's standard PDO syntax. – Barmar Jul 12 '18 at 22:07
  • 1
    **WARNING**: Writing your own access control layer is not easy and there are many opportunities to get it severely wrong. Please, do not write your own authentication system when any modern [development framework](http://codegeekz.com/best-php-frameworks-for-developers/) like [Laravel](http://laravel.com/) comes with a robust [authentication system](https://laravel.com/docs/master/authentication) built-in. At the absolute least follow [recommended security best practices](http://www.phptherightway.com/#security) and **never store passwords as plain-text** or a weak hash like **SHA1 or MD5**. – tadman Jul 12 '18 at 22:23

0 Answers0