PDO and parameter binding question

Posted in CategoryGeneral Discussion
  • Terry Ogbemudia 5 months ago

    Usually, when getting input from users through a form you should use the prepared statement to prevent SQL injection binding is not compulsory however it can allow you to apply stricter conditions. When getting input from URL query string and the intention is to use that to retrieve data from the database you can simply use the query method which is both prepared and execute in one statement.


    You can check the PDO course too  - https://devscreencast.com/courses/learn-and-understand-php-data-objects-pdo,

  • Hder 5 months ago

    My "Solved" answer was for another question, but mistakenly posted here.  Please provide some feedback to my original question:

    When is it OK to use PDO operations without parameter binding? If we're not dealing with sensitive information?  When there is no user input or passing of data through POST/GET?  

    When MUST we use parameter binding - only when there is user input?  Or?

    I am still not that familiar with SQL injection and hacking methods.

    Thanks

  • Terry Ogbemudia 5 months ago

    Actually, you could just use the query method which will essentially prepare and execute the query at the same time


    $result = $db->query("SELECT * FROM blog WHERE article_id<$id ORDER by article_id DESC LIMIT 0,1");

  • Hder 5 months ago

    Solved.  Seems like the previous fetch required a DESC order command:

    $stmt= $db->prepare("SELECT * FROM blog WHERE article_id<$id ORDER by article_id DESC LIMIT 0,1");
  • Hder 5 months ago
    When is it OK to use PDO operations without parameter binding? If we're not dealing with sensitive information?  Or use parameter binding always for userIDs and userNames for privacy protection?  Thanks.

Please login or register to leave a response.