Welcome to WebmasterWorld Guest from 54.147.10.72

Forum Moderators: coopster & jatar k

Message Too Old, No Replies

Prepared statements vs. real escape string

security implications

     

rover

12:55 am on Oct 14, 2008 (gmt 0)

10+ Year Member



Do prepared statements offer more security than using real_escape_string with mysqli?

For example:

real_escape_string:

$id = $mysqli->real_escape_string($id);
$sql = "SELECT * FROM table WHERE id = $id "
etc. etc.

prepared statement:
$sql = "SELECT * FROM table WHERE id = ? "
etc. etc.

I have started using prepared statements, but they are much harder for me to debug when things go wrong. Before I could simply output the actual sql statement to see the exact query that was causing the problem. I can't find a way to do this with prepared statements (since I only get back the statement with the '?' placeholders, and I can't see what actually is within the placeholders).

So, aside from performance aspects where prepared statements can be faster for multiple queries using the same statement, does anyone know if there is more security with prepared statements or is using the real escape string on variables going into the sql basically providing the same level of security?

eelixduppy

7:38 pm on Oct 26, 2008 (gmt 0)

WebmasterWorld Senior Member eelixduppy is a WebmasterWorld Top Contributor of All Time 5+ Year Member



As far as security goes, as long as both are used correctly, then they should both offer enough security to prevent from SQL injections.

Sekka

3:10 pm on Oct 27, 2008 (gmt 0)

10+ Year Member



As far as I am aware, the only big difference is that prepared statements force you to be more secure, while manual query building can create exploits, as all it would take is missing 1 escape.

On another note, I believe preparing statements increases speed?

 

Featured Threads

Hot Threads This Week

Hot Threads This Month