Should I use prepare in Procedures

Asked

Viewed 40 times

1

Below I have an excerpt of code adapted to illustrate this question:

<?php

$params = [
    ':codUser'     => $_SESSION['data-user']['codigo'],
    ':codCarrinho' => $codCarrinho,
    ':codPremio'   => $codPremio,
    ':quantidade'  => $quantidade,
    ':subtotal'    => $subtotal
];

$query = 'Call addItemCarrinho(:codUser, :codCarrinho, :codPremio, :quantidade, :subtotal)';

$preparedQuery = self::getConn()->prepare($query);
foreach ($params as $key => $value) {
    $preparedQuery->bindValue($key, $value);
}

$preparedQuery->execute();
$result = $preparedQuery->fetchAll(PDO::FETCH_OBJ);

?>

This is the way I currently use it. But I have been researching and reading some articles that say it is not necessary to use the prepare in Procedures. But for fear I keep using. My question is whether it is possible to use SQL injection in anticipation?

php mysql procedure

  • Just in case, you should use prepare(). I believe that sql Injection is complicated and depends a lot on the poor implementation of the process. better prevent.

  • Yeah! I always get a kick out of it!

1 answer

1

The ideal is for you to continue using the prepare to assemble their procedures.

Probably, when it was commented that procedures would not need the use of prepare, it is because they use past information as parameters internally and this would avoid the SQL Injection within the execution of them however, at the time of the assembly of it, when vc is writing it in PHP, it may be that the person can use SQL Injection on her call

Browser other questions tagged php mysql procedure

You are not signed in. Login or sign up in order to post.