[prev in list] [next in list] [prev in thread] [next in thread] 

List:       php-general
Subject:    Re: Using Database (PHP)
From:       Lester Caine <lester () lsces ! uk>
Date:       2020-07-15 9:59:25
Message-ID: 546830e3-8189-535c-839b-48814b5b255a () lsces ! uk
[Download RAW message or body]

On 15/07/2020 10:25, Gernot Hassenpflug wrote:
>>From what I remember reading, the prepare statement is separated from
> the query, so no injections possible. The statement is prepared on the
> server, so similar queries using the same prepare can be executed very
> efficiently.

Prepare has to happen before any execute to link the parameters to the 
place holders. Where it becomes more productive is if you have a list of 
data that you want to upload, such as the lines of an order. You simply 
prepare the query and then loop through the list running the prepared 
query with each new set of parameters. If you only need to run the same 
query once then there is little point manually preparing the query, and 
just allow it to automatically prepare and execute. The security aspect 
here is the use of place holders in the query rather than prepare doing 
anything special. Without the place holders, text can be added to the 
query potentially 'injecting' extra SQL, while the prepared query would 
use the 'injected' text as the value to insert into that place holder. 
On my systems we tend to get faults due to the text being too long for 
the underlying field, so one still needs to handle a level of testing on 
the data used as a parameter ... although at least things you may not 
have considered will be safer.

-- 
Lester Caine - G8HFL
-----------------------------
Contact - https://lsces.uk/wiki/Contact
L.S.Caine Electronic Services - https://lsces.uk
Model Engineers Digital Workshop - https://medw.uk
Rainbow Digital Media - https://rainbowdigitalmedia.uk
[prev in list] [next in list] [prev in thread] [next in thread]