Prepared statement vs classic insert query

Question

Possible Duplicate:
Php PDO::bindParam data types.. how does it work?

Could someone explain - why is prepared statement more secure:

$stmt = $conn->prepare("INSERT INTO users (user, pass, salt) 
VALUES (:user, :pass, :salt");
    $stmt->bindParam(":user", $user);
    $stmt->bindParam(":pass", $pass);
    $stmt->bindParam(":salt", $salt);
    $stmt->execute();

Insert query is firstly prepared with placeholders, then values is placed instead placeholders, but - where is that famous secure point ?

see [How prepared statements can protect from SQL injection attacks?](http://stackoverflow.com/a/8265319/285587) — Your Common Sense, Jan 15 '13 at 17:46
@YourCommonSense, I started reading your text, and must say - you're a real educational champ. Thanks a lot. — Alegro, Jan 15 '13 at 17:51

score 1 · Accepted Answer · answered Jan 15 '13 at 17:46

The values are not placed into the placeholders (depending on the backend, some do emulation but lets not talk about them, as that's not prepared statements). The issue with traditional SQL is that the commands and data are mixed. Prepared statements get around that issue by intentionally keeping them separate at all times. Prepared statements aren't just a fancy way to automatically do mysqli_real_escape_string.

Prepared statement vs classic insert query

1 Answers1