How does PHP PDO39s prepared statements prevent sql injection What are other benefits of using PDO Does using PDO reduce efficiency

De openkb
Aller à : Navigation, rechercher

Sommaire

Questions

I have been spotting the sentence PHP PDO s prepared statements prevents SQL injection.

    *How does php PDO s(PDO s prepared statements) prevent sql injection? *What are other pros/cons of using PDO(PDO s prepared statements)? *Does using PDO(PDO s prepared statements) reduce efficiency?

http://stackoverflow.com/questions/134099/are-pdo-prepared-statements-sufficient-to-prevent-sql-injection http://stackoverflow.com/questions/134099/are-pdo-prepared-statements-sufficient-to-prevent-sql-injection But the data there is not completely clear.

Answers

Well, at second glance your question looks more complex to be answered with just one link

How does php pdo s prepared statements prevent sql injection?

http://stackoverflow.com/questions/8263371/how-prepared-statements-can-protect-from-sql-injection-attacks http://stackoverflow.com/questions/8263371/how-prepared-statements-can-protect-from-sql-injection-attacks

What are other pros/cons of using PDO?

Most interesting question.
A greatest PDO disadvantage is: it is peddled and propagated a silver bullet, another idol to worship.
While without understanding it will do no good at all, like any other tool.
PDO has some key features like

    • Database abstraction. It s a myth, as it doesn t alter the SQL syntax itself. And you simply can t use mysql autoincremented ids with Postgre. Not to mention the fact that switching database drivers is not among frequent developer s decisions.
    • Placeholders support, implementing native prepared statements or emulating them. Good approach but very limited one. There are lack of necessary placeholder types, like identifier or SET placeholder.
    • a helper method to get all the records into array without writing a loop. Only one. When you need at least 4 to make your work sensible and less boring.
Does using PDO reduce efficiency?

Again, it is not PDO, but prepared statements that reduces efficiency. It depends on the network latency between the db server and your application but you may count it negligible for the most real world cases.

Source

License : cc by-sa 3.0

http://stackoverflow.com/questions/8718942/how-does-php-pdos-prepared-statements-prevent-sql-injection-what-are-other-ben

Related

Outils personnels
Espaces de noms

Variantes
Actions
Navigation
Outils