Bind variables in PHP-MySQL
Question
I am using below code to execute MySQL query in PHP .
$cus_id = '1';
$query = new QUERY();
$clause = "SELECT * FROM customers WHERE cus_id=:cus_id AND status='ACTIVE'";
$params = array('cus_id'=>$cus_id);
$result = $query->run($clause, $params)->fetchAll();
Now the question is: is it secure enough. Or do I need to bind the static String as well? Something like:
$clause = "SELECT * FROM customers WHERE cus_id=:cus_id AND status=:status";
$params = array('cus_id'=>$cus_id, 'status'=>'ACTIVE');
2 answers
solution1
1 2015-10-26 14:25:25
It's secure because ACTIVE isn't user input. So you don't need to bind it.
solution2
1 2015-10-26 14:26:00
It's fine the way you have it. The value for status isn't being dynamically assembled and doesn't create any vulnerabilities.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.
Related Question
Php-Mysql transactions
Php-mysql connectivity
PHP-Mysql error with %
PHP-MySQL Tagging
POST Data PHP-MySql to HTML POST to PHP-MySql
Php-mysql duplicated rows
PHP-MySQL Database Connection
Counter error in PHP-MySql
[PHP-MYSQL]Query for Reporting
Code implementation in php-mysql
Related Tags