News Feed
Sections




News Archive
Looking for more information on how to do PHP the right way? Check out PHP: The Right Way

Johannes Schluter's Blog:
Escaping from the statement mess
May 19, 2011 @ 09:30:45

In a new post to his blog Johannes Schluter suggests an alternative to using prepared statements in PHP applications using a database - creating a handler method that allows for dynamic queries as well as proper escaping of values.

Now prepared statements were a nice invention some 30 years ago abut they weren't meant for making things secure and so they do have some shortcomings: One issue is that preparing and executing a query adds a round-trip to the server where it then requires resources. [...] With prepared statements you first have to build the list of place holders (the exact amount of place holders (?) separated by a comma, without trailing comma) and then bind the values and mind the offsets when having other values - this typically becomes ugly code.

He includes the code for his alternative, a function using the mysqli extension to let you create dynamic SQL that still uses placeholders and proper escaping to prevent both SQL injection issues and resources problems caused by the multiple hops back to the database.

0 comments voice your opinion now!
prepared statement database alternative mysqli


blog comments powered by Disqus

Similar Posts

Stoyan Stefanov's Blog: Reusing an existing database connection with MDB2

Lorenzo Alberton's Blog: DBMS and charsets, a summary and a call for help

Phil Sturgeon: Build API's That You Wont Hate: Part 1 - Useful Database Seeding

SitePoint PHP Blog: Building a Simple Blog App with MongoDB and PHP

Ulf Wendel's Blog: PHP mysqli quickstart is online!


Community Events





Don't see your event here?
Let us know!


update podcast version opinion release composer library mvc series voicesoftheelephpant interview language security community package introduction laravel framework tool symfony

All content copyright, 2014 PHPDeveloper.org :: info@phpdeveloper.org - Powered by the Solar PHP Framework