PHP prepared statements clarification -
can mix user input info fixed info in prepared statement security wise or each query status have have placeholder?
for example:
$code = htmlspecialchars($_get['code']); // user input info $status = 'a'; // fixed $stmt = $connect->prepare("select s_id events s_code = ? , s_status = ?") or die(mysqli_error()); $stmt->bind_param('ss', $code, $status); $stmt->execute(); $stmt->bind_result($reference); or acceptable?
$code = htmlspecialchars($_get['code']); // user input info $stmt = $connect->prepare("select s_id events s_code = ? , s_status = 'a'") or die(mysqli_error()); $stmt->bind_param('s', $code); $stmt->execute(); $stmt->bind_result($reference);
both approaches acceptable. there's no security impact in binding fixed value code, may have performance benefits if various parts of application (or different applications) utilize different hard-coded values query.
php
No comments:
Post a Comment