stackoom
  简体   繁体   中英

Do I need prepared statement on each query?

 原文  2013-01-09 19:33:05       php/ pdo

Question

$query = "SELECT 1 FROM users WHERE username = :username";
$query_params = array(':username' => $_POST['username']);
try
{
$stmt = $db->prepare($query);
$result = $stmt->execute($query_params);
}
catch(PDOException $ex)
{
die("Failed to run query: " . $ex->getMessage());
}

$row = $stmt->fetch();
if($row)
{
die("This username is already in use");
}

This all works, but:

  1. Do I really need prepared statement if the query is just SELECT or SELECT COUNT ?
    Because, if there is no INSERT / UPDATE / DELETE operations on the table - I suppose there is no dangerous of sql injection or spam ?

  2. Do I really need try/catch statement each time I go to database ?

4 answers

solution1
 2  2013-01-09 19:36:17

如果您在查询中放入了任何可以以任何方式更改的变量,则您(必须)使用准备好的语句。

solution2
 2  2013-01-09 19:36:40

There is always a danger of SQL injection even on SELECT statements because someone could terminate the SELECT and append an INSERT statement in the username. However, if you are using mysql_real_escape_string() or else your DB classes escape your values for you then you don't have to worry about try/catch on a SELECT statement. If you have escaped your values this is sufficient for your SQL: 

$username = mysql_real_escape_string($username); // escape the string first.
$query = "SELECT 1 FROM users WHERE username = '$username'";

solution3
 2  2013-01-09 19:37:16

1) No, you don't have to use prepared statements; you could use eg PDO::query and PDO::quote to build up a query using string concatenation. HOWEVER -- YES, any time you're using externally-supplied strings, there is a risk of damage from SQL injection, even if you're just doing a SELECT. For example, an attacker could try to run two statements in one by using a ";" in the supplied string. The PDO::quote is another way to safeguard against this.

2) You could throw the error out of your calling code, but somewhere you'll have to consider error handling.

solution4
 1 ACCPTED  2013-01-09 19:38:37

As far as connection to database goes this is the only approach you need. Try and Catch: (if you are using MySql database ) 

try {
    $conn = new PDO('mysql:host=localhost;dbname=DBNAME', 'USER', 'PASS', array(PDO::ATTR_EMULATE_PREPARES => false, PDO::ATTR_ERRMODE => PDO::ERRMODE_EXCEPTION));
} catch(PDOException $e) {
    echo 'ERROR: ' . $e->getMessage();
}

Plus, there is a built-in count query for count:

$affected_rows = $stmt->rowCount();

Here is a good tutorial, if you never knew

http://wiki.hashphp.org/PDO_Tutorial_for_MySQL_Developers

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Do I need to persist a prepared statement? Do i need to use $stmt = $conn->prepare for this prepared statement? How do I convert my query to prepared statement? Do I need to use prepared statement for the data I'm getting from database? How do I write a prepared statement with an update? How do I convert this SQL to prepared statement? Do I need to run a prepared query in Wordpress when I'm just matching table columns? Do I need to close unused prepared statements? Do I need htmlentities() or htmlspecialchars() in prepared statements? Need help for mysqli prepared query then php process then update each row
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM