3

Example mysql_query:

$query=mysql_query("SELECT `col1`, `col2` FROM `table` WHERE
`col1`='$escapedvariable' ");

I know the above is not good in practice.

Better query using prepare and execute

$pSt = $dbh->prepare('SELECT col1, col2 FROM table WHERE col1=:col1);

$pSt->execute(array(':col1'=>$escapedvariable);

$status=$pSt->errorCode();

Question: Can I use mysql_query with bound variables for added security?

Improve this question
1
  • NOTE for future readers: The second code snippet (using prepare) is for PDO. Hence :col1 as a bound parameter. If instead you are using mysqli then use ? for bound parameters. mysqli parameters are not named - they are determined by their order in the sql. Commented Oct 23, 2019 at 15:31

1 Answer 1

Reset to default
4

No, you have to use mysqli-functions or PDO.

Improve this answer
Sign up to request clarification or add additional context in comments.

2 Comments

Vote for put PDO to the first place ;-P
second vote for PDO => ttp://net.tutsplus.com/tutorials/php/why-you-should-be-using-phps-pdo-for-database-access/

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.