homepage Welcome to WebmasterWorld Guest from 54.204.58.87
register, free tools, login, search, pro membership, help, library, announcements, recent posts, open posts,
Become a Pro Member

Visit PubCon.com
Home / Forums Index / Code, Content, and Presentation / PHP Server Side Scripting
Forum Library, Charter, Moderators: coopster & jatar k

PHP Server Side Scripting Forum

    
Prepared statements vs. real escape string
security implications
rover




msg:3765048
 12:55 am on Oct 14, 2008 (gmt 0)

Do prepared statements offer more security than using real_escape_string with mysqli?

For example:

real_escape_string:

$id = $mysqli->real_escape_string($id);
$sql = "SELECT * FROM table WHERE id = $id "
etc. etc.

prepared statement:
$sql = "SELECT * FROM table WHERE id = ? "
etc. etc.

I have started using prepared statements, but they are much harder for me to debug when things go wrong. Before I could simply output the actual sql statement to see the exact query that was causing the problem. I can't find a way to do this with prepared statements (since I only get back the statement with the '?' placeholders, and I can't see what actually is within the placeholders).

So, aside from performance aspects where prepared statements can be faster for multiple queries using the same statement, does anyone know if there is more security with prepared statements or is using the real escape string on variables going into the sql basically providing the same level of security?

 

eelixduppy




msg:3773792
 7:38 pm on Oct 26, 2008 (gmt 0)

As far as security goes, as long as both are used correctly, then they should both offer enough security to prevent from SQL injections.

Sekka




msg:3774268
 3:10 pm on Oct 27, 2008 (gmt 0)

As far as I am aware, the only big difference is that prepared statements force you to be more secure, while manual query building can create exploits, as all it would take is missing 1 escape.

On another note, I believe preparing statements increases speed?

Global Options:
 top home search open messages active posts  
 

Home / Forums Index / Code, Content, and Presentation / PHP Server Side Scripting
rss feed

All trademarks and copyrights held by respective owners. Member comments are owned by the poster.
Home ¦ Free Tools ¦ Terms of Service ¦ Privacy Policy ¦ Report Problem ¦ About ¦ Library ¦ Newsletter
WebmasterWorld is a Developer Shed Community owned by Jim Boykin.
© Webmaster World 1996-2014 all rights reserved