Question

I have been reading about using $_POST values being used directly in isert statements and understand that this is an invitation for trouble. What is not clear in any of the posts I read was - Say my form is sending 7 items to my mysqli insertion script and I use the posted values like this:

    $stmt = $mysqli->prepare("INSERT INTO `advertisements` (`from`, `r_u_res`, `email`, `blockname`, `floorno`, `doorno`, `content`) VALUES (?, ?, ?, ?, ?,?,?)");
    $stmt->bind_param('sssssss', $_POST['from'], $_POST['rures'], $_POST['email'], $_POST['blockname'], $_POST['floorno'], $_POST['doorno'], $_POST['content']);

    $stmt->execute(); 
    $stmt->close();

Would that be the correct way to do it? Or should I first store the posted values in a new variable and use that variable while binding? - like this :

    $postedfrom = $_POST['from'];
    $postedrures = $_POST['rures'];
    $postedemail = $_POST['email'];
    $postedblockname = $_POST['blockname'];
    $postedfloorno = $_POST['floorno'];
    $posteddoorno = $_POST['doorno'];
    $postedcontent = $_POST['content'];

    $stmt = $mysqli->prepare("INSERT INTO `advertisements` (`from`, `r_u_res`, `email`, `blockname`, `floorno`, `doorno`, `content`) VALUES (?, ?, ?, ?, ?,?,?)");
    $stmt->bind_param('sssssss', $postedfrom, $postedrures, $postedemail, $postedblockname, $postedfloorno, $posteddoorno, $postedcontent);

    $stmt->execute(); 
    $stmt->close();      

I saw a post OO mysqli prepared statements help please where the answer does seem to be like the code above but I want to know whether doing it like the first code poses security issues...

Was it helpful?

Solution

both forms are equivalent from a security perspective as php first resolves the values to be passed in the method call to $stmt->bind_param, thus that function sees the exact same values in both cases.

ps: both snippets look ok to me.

Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top