PDO/mySQL/PHP - when is it OK to NOT use parameter binding, when should I REALLY use it?
-
I am not quite familiar with SQL injection and the different methods one could use to infiltrate one's database code, so I have been using PDO with parameter binding with most of my implementation. I do find it a bit clumsy and long sometimes and am tempted to just skip it. So my question is - what circumstances can I NOT use parameter binding without worrying about possible hacks - for less critical information? And the flip side - when should really use it? For more sensitive information only like user emails, id's? or? Would appreciate some feedback or links for further reading.
-
I am not quite familiar with SQL injection and the different methods one could use to infiltrate one's database code, so I have been using PDO with parameter binding with most of my implementation. I do find it a bit clumsy and long sometimes and am tempted to just skip it. So my question is - what circumstances can I NOT use parameter binding without worrying about possible hacks - for less critical information? And the flip side - when should really use it? For more sensitive information only like user emails, id's? or? Would appreciate some feedback or links for further reading.
You should always use parameter binding. One exception only, when there are no parameters. <edit>After reading Mycrofts answer I realize I should change my second sentence to: One exception only, when the parameter is a constant. :) </edit>
Wrong is evil and must be defeated. - Jeff Ello
-
I am not quite familiar with SQL injection and the different methods one could use to infiltrate one's database code, so I have been using PDO with parameter binding with most of my implementation. I do find it a bit clumsy and long sometimes and am tempted to just skip it. So my question is - what circumstances can I NOT use parameter binding without worrying about possible hacks - for less critical information? And the flip side - when should really use it? For more sensitive information only like user emails, id's? or? Would appreciate some feedback or links for further reading.
I'm not as fanatical as Jorgen, there is no circumstance where you should NOT use parameter binding. However there are circumstances (most) where you MUST use parameter binding. If a user or application has anything to do with the values then you MUST use parameters. The only time I would risk not using parameters is when there is no external input of the values. An example of where I will risk string queries would be if you have a master table of countries with an Active attribute field. I might use
select * from Country where ActiveFlag = 1from my BL layer. But seeing as I have a code generator that automatically builds the DAL, model and viewmodel code for me I ALWAYS use parameters and stored proceduresNever underestimate the power of human stupidity RAH
-
I am not quite familiar with SQL injection and the different methods one could use to infiltrate one's database code, so I have been using PDO with parameter binding with most of my implementation. I do find it a bit clumsy and long sometimes and am tempted to just skip it. So my question is - what circumstances can I NOT use parameter binding without worrying about possible hacks - for less critical information? And the flip side - when should really use it? For more sensitive information only like user emails, id's? or? Would appreciate some feedback or links for further reading.
To be fair, SQL Injection can only occur where the user has influence over the parameter. If your parameter is a constant, or provided by you, there's little risk since the user cannot change the statement that is going to be executed. ..but, parameterized queries are not done "just" to prevent SQL injection, they provide more benefits. While it may take you a minute longer to write it, it makes the code a lot more readable, improving maintainability. There's also an impact on performance[^] if you re-execute the query. That's not something that every hobbyist wants to learn, so the advice has become that it is NEVER OK to NOT use them. I agree with that advice, since adding the code will not have a downside.
needAbreakNow wrote:
I do find it a bit clumsy and long sometimes and am tempted to just skip it.
This will sound rude but that's just being lazy. If it is worth doing at all, it is worth doing it correctly. Upvoted for asking "why am I doing this"; it proves you are actually thinking about what you are doing, and trying to find alternatives.
Bastard Programmer from Hell :suss: If you can't read my code, try converting it here[^] "If you just follow the bacon Eddy, wherever it leads you, then you won't have to think about politics." -- Some Bell.
-
I am not quite familiar with SQL injection and the different methods one could use to infiltrate one's database code, so I have been using PDO with parameter binding with most of my implementation. I do find it a bit clumsy and long sometimes and am tempted to just skip it. So my question is - what circumstances can I NOT use parameter binding without worrying about possible hacks - for less critical information? And the flip side - when should really use it? For more sensitive information only like user emails, id's? or? Would appreciate some feedback or links for further reading.
needAbreakNow wrote:
and am tempted to just skip it
Versus what? If you create a composition then that can be rather complicated as well. Perhaps you are comparing it to simple cases like when you want to add just one parameter? If so I would say that consistency of usage overrides the ease of one-off cases.