0

I've had a good read with this question mysqli or PDO - what are the pros and cons?. But I think it's a bit dated. Are prepared statements still the best solution against injections?

I'm going to create a new php interface to access my mysql database so I want to get it right from the start.

Also doesn't pdo slow your query's down a lot?

Community
  • 1
  • 1
Vincent
  • 5,702
  • 14
  • 47
  • 90

1 Answers1

7

Use prepared statements/parametrized queries. This is completely safe since you do not mix SQL with data in the same string and you don't have to think about escaping anymore. At least if you don't start making your column/table names dynamic in a way users can modify them.

The advantages you get by using PDO us absolutely worth the minimal performance loss.

ThiefMaster
  • 285,213
  • 77
  • 557
  • 610
  • 1
    However, it's worth bearing in mind that by default PDO "prepared statements" aren't really prepared statements at all. They're emulated. Need to call [`PDO::setAttribute(PDO::ATTR_EMULATE_PREPARES, false)`](http://php.net/manual/en/pdo.setattribute.php) to use the real thing. – eggyal May 16 '12 at 10:44
  • 3
    I think leaving the default is safe. Then you use natives if available and emulated ones if not. – ThiefMaster May 16 '12 at 10:46
  • My understanding is that the default value is `true`, which will *never* use natives: and therefore the RDBMS will still evaluate parameters for SQL - one is left with only PDO's escaping to keep safe. – eggyal May 16 '12 at 10:47
  • 2
    Ugh, that would be extremely retarded... but since it's PHP everything is possible I guess. – ThiefMaster May 16 '12 at 10:49