Doubt in the security of PHP PDO

Asked

Viewed 117 times

3

I would like to know the difference in safety level between the two code snippets below:

// TRECHO 1
<?php
$calories = 150;
$colour = 'red';
$sth = $dbh->prepare('SELECT name, colour, calories
    FROM fruit
    WHERE calories < ? AND colour = ?');
$sth->bindParam(1, $calories, PDO::PARAM_INT);
$sth->bindParam(2, $colour, PDO::PARAM_STR, 12);
$sth->execute();
?>

// TRECHO 2
<?php
$calories = 150;
$colour = 'red';
$sth = $dbh->prepare('SELECT name, colour, calories
    FROM fruit
    WHERE calories < ? AND colour = ?');
$sth->execute(array($calories,$colour));
?>

In section 1, the bindParam(), in 2 the parameters are passed directly in the execute, but also the prepare().

2 answers

5


In terms of security there is no difference. One of the differences is that bindParam() in addition to offering parameter typing(PDO::PARAM_STR, PDO::PARAM_INT etc) has other obscure features for using stored procedures. See the method signature.

public bool Pdostatement::bindParam ( Mixed $Parameter , Mixed &$variable [, int $data_type = PDO::PARAM_STR [, int $length [, Mixed $driver_options ]]] )

When using the execute() all parameters are sent as PDO::PARAM_STR the most that can happen is your query fails if you have placeholder on the clasp LIMIT/OFFSET.

Related:

What is the difference between bindParam and bindValue?

Using PDO is the safest way to connect to a PHP BD?

  • If I type, and pass a parameter that does not obey it, it either converts and executes it or it does not perform?

  • If you type a string as boolean will work, you will only have a problem in the case I quoted in the question, Prepared statements are emulated by default. @Miguelneto

3

Technically and theoretically, there’s no difference, because if you’re going to analyze, in the first case, where you used the bindParam, with symbolic type placeholders (?):

$sth->bindParam(1, $calories, PDO::PARAM_INT);

You used the number 1 as a reference to that placeholder.

Writing the parameters online, along with the method execute, you are doing nothing different, each value receives indexes according to the number of placeholders specified.

$sth->execute( array( 0 => 150, 1 => 'red' ) ); 

It would be the same as doing:

$params = array(150,'red');
$sth->execute($params);

If you still have questions, I recommend you read this:

  • $sth->execute( array( 1 => 150, 2 => 'red' ) ); returns: SQLSTATE[HY093]: Invalid Parameter number: Parameter was not defined. If you take the index as a second example or start at zero it does not occur, only bindValue/Param need to start with 1.

  • I kept the indexes in the edit, it was to have them removed, so that they would be normal. The error SQLSTATE[HY093]: Invalid Parameter number:, is due to the index 0, signed as NULL, precisely because of this, that is, it does not exist for the array, but becomes a fictitious value in the execution, when the parameters are arranged.

Browser other questions tagged

You are not signed in. Login or sign up in order to post.