Hello and welcome to our community! Is this your first visit?
Register
Enjoy an ad free experience by logging in. Not a member yet? Register.
Results 1 to 6 of 6
  1. #1
    Regular Coder
    Join Date
    Dec 2010
    Location
    London
    Posts
    339
    Thanks
    63
    Thanked 11 Times in 11 Posts

    Worth binding paramaters if using $_GET?

    Hi, if I'm using MySQLi, is there any benefit in using bind_param() if the variables are going to be pulled from $_GET? I understand the benefit of it reducing the SQL injection risk but surely if $_GET is getting the data from the URL then it won't mae any difference if I just input the data directly like below?

    PHP Code:

    $location 
    $_GET['location'];
    $position $_GET['position'];

    $result $db->query('SELECT * FROM jobBoard WHERE location='$location' AND position='$position);
            
    while(
    $row $result->fetch_assoc()){ ... } 

  • #2
    Senior Coder
    Join Date
    Feb 2011
    Location
    Your Monitor
    Posts
    4,341
    Thanks
    60
    Thanked 527 Times in 514 Posts
    Blog Entries
    4
    You seem to be thinking that because it comes from the $_GET array that it's somehow magically safe.. it's not.
    See my new CodingForums Blog: http://www.codingforums.com/blogs/tangoforce/

    Many useful explanations and tips including: Cannot modify headers - already sent, The IE if (isset($_POST['submit'])) bug explained, unexpected T_CONSTANT_ENCAPSED_STRING, debugging tips and much more!

  • #3
    Regular Coder
    Join Date
    Dec 2010
    Location
    London
    Posts
    339
    Thanks
    63
    Thanked 11 Times in 11 Posts
    I'm not. I mean that as it is clearly unsafe, is it worth using the binding method at all, as you could just be binding SQL injection

  • #4
    Senior Coder
    Join Date
    Feb 2011
    Location
    Your Monitor
    Posts
    4,341
    Thanks
    60
    Thanked 527 Times in 514 Posts
    Blog Entries
    4
    Fou will be the better one to answer this but as I understand it, binding means that mysql is supposed to run the query and then grab the binded parameters and use them instead of using them in the query itself.

    Having reviewed my mysql logs I wasn't utterly convinced myself to be honest but all the php documentation shows to use binding and forget about it.

    There is always mysqli_real_escape_string() if you want to do it the old fashioned way..
    See my new CodingForums Blog: http://www.codingforums.com/blogs/tangoforce/

    Many useful explanations and tips including: Cannot modify headers - already sent, The IE if (isset($_POST['submit'])) bug explained, unexpected T_CONSTANT_ENCAPSED_STRING, debugging tips and much more!

  • #5
    Regular Coder
    Join Date
    Dec 2010
    Location
    London
    Posts
    339
    Thanks
    63
    Thanked 11 Times in 11 Posts
    Ah ok, I think I can get my head around that. Thank you for the explanation

  • #6
    Master Coder felgall's Avatar
    Join Date
    Sep 2005
    Location
    Sydney, Australia
    Posts
    6,642
    Thanks
    0
    Thanked 649 Times in 639 Posts
    Quote Originally Posted by paddyfields View Post
    PHP Code:

    $location 
    $_GET['location'];
    $position $_GET['position']; 
    You should NEVER use code like that because now the local variables are tainted and you have no clear way to identify which variables are tainted and which are not.

    You should either sanitize or validate the $_GET values before moving them to local variables so that the local variables remain untainted. (Validate if the $_GET originated from user input in a form otherwise sanitize).

    Escaping is an output function that has nothing whatever to do with security - it simply ensures that when you jumble code and data together that the valid data isn't misinterpreted as code.

    You can't avoid jumbling data and code together when outputting HTML but you can with SQL (by using separate prepare and bind statements).
    Stephen
    Learn Modern JavaScript - http://javascriptexample.net/
    Helping others to solve their computer problem at http://www.felgall.com/

    Don't forget to start your JavaScript code with "use strict"; which makes it easier to find errors in your code.


  •  

    Posting Permissions

    • You may not post new threads
    • You may not post replies
    • You may not post attachments
    • You may not edit your posts
    •