A community in which webmasters can ask for help with topics such as PHP coding , MySQL , IT jobs, web design, IT security.
Current location:homephp forumphp talk in 2009 yearWhy is using a mysql prepared statement more secure than using the common escape functions? - page 1
User InfoPosts
Why is using a mysql prepared statement more secure than using the common escape functions?#1
There(s a comment in another question that says the following:


"When it comes to database queries,
always try and use prepared
parameterised queries. The mysqli and
PDO libraries support this. This is
infinitely safer than using escaping
functions such as
mysql_real_escape_string."


Source

So, what i want to ask is: Why are prepared parameterized queries more secure?

posted date: 2009-04-08 18:24:00


Re: Why is using a mysql prepared statement more secure than using the common escape functions?#2
I had made out the solution of this problem. click to view my topic...

hope that hepls.

posted date: 2009-04-08 18:24:01


Re: Why is using a mysql prepared statement more secure than using the common escape functions?#3
For one, you(re leaving the escaping of dangerous characters to the database, which is a lot safer than you, the human.... it won(t forget to escape, or miss out on any special characters which could be used to inject some malicious SQL. Not to mention, you could possibly get a performance improvement to boot!

posted date: 2009-04-08 18:28:00


Re: Why is using a mysql prepared statement more secure than using the common escape functions?#4
But how does the database know the difference between what is dangerous and between what i really want it to do?

posted date: 2009-04-08 18:30:00


Re: Why is using a mysql prepared statement more secure than using the common escape functions?#5
Well it knows what characters are evil, so it should prepend the escape character '\' in MySQL before the evil character. This still does the query as-is, but it won't honour any special characters that appear in a binding.

posted date: 2009-04-08 18:32:00


Re: Why is using a mysql prepared statement more secure than using the common escape functions?#6
Also to note, you specify the 'bindings' separately (not concatenated in the query), and simply insert a placeholders in the query to where they should appear. The database (I think, maybe PDO does it?) then escapes characters inside the bindings.

posted date: 2009-04-08 18:34:00


Re: Why is using a mysql prepared statement more secure than using the common escape functions?#7
Very best case, it might not be, but it(s at least equally safe; and why take the chance?

posted date: 2009-04-08 18:39:00


Re: Why is using a mysql prepared statement more secure than using the common escape functions?#8
Because with prepared statements, you can(t forget to escape the content. So there are no way to introduce insecurity. mysql_real_escape_string is as safe as prepared statements IF you remember to use mysql_real_escape_string each time you call mysql_query, but it(s easy to forget.

posted date: 2009-04-08 18:40:00


Re: Why is using a mysql prepared statement more secure than using the common escape functions?#9
That's a good example, thank you.

posted date: 2009-04-08 18:41:00


Re: Why is using a mysql prepared statement more secure than using the common escape functions?#10
The function is not safe because of this exploit http://shiflett.org/blog/2006/jan/addslashes-versus-mysql-real-escape-string. That is why prepared statements are preferred and it gives performance improvement as well.

posted date: 2009-04-08 18:45:00


Re: Why is using a mysql prepared statement more secure than using the common escape functions?#11
No worries, glad to help :)

posted date: 2009-04-08 18:55:00


Re: Why is using a mysql prepared statement more secure than using the common escape functions?#12
An important point that I think people here are missing is that with a database that supports parameterized queries, there is no (escaping( to worry about. The database engine doesn(t combine the bound variables into the SQL statement and then parse the whole thing; The bound variables are kept separate and never parsed as a generic SQL statement.That(s where the security and speed comes from. The database engine knows the placeholder contains data only, so it is never parsed as a full SQL statement. The speedup comes when you prepare a statement once and then execute it many times; the canonical example being inserting multiple records into the same table. In this case, the database engine needs to parse, optimize, etc. only once.Now, one gotcha is with database abstraction libraries. They sometimes fake it by just inserting the bound variables into the SQL statement with the proper escaping. Still, that is better than doing it yourself.

posted date: 2009-04-08 19:07:00


select page: « 1 2 »
Copyright ©2008-2017 www.momige.com, all rights reserved.