1.2.1120. Should Use Prepared Statement

Modern databases provides support for prepared statement : it separates the query from the processed data and raise significantly the security.

Building queries with concatenations is not recommended, though not always avoidable. When possible, use prepared statements. Same code, without preparation :

<?php
/* Execute a prepared statement by passing an array of values */

$sql = 'SELECT name, colour, calories
    FROM fruit
    WHERE calories < :calories AND colour = :colour';
$sth = $conn->prepare($sql, array(PDO::ATTR_CURSOR => PDO::CURSOR_FWDONLY));
$sth->execute(array(':calories' => 150, ':colour' => 'red'));
$red = $sth->fetchAll();
?>

Name

Default

Type

Description

queryMethod

query_methods.json

data

Methods that call a query.

See also Prepared Statements, PHP MySQLi Prepared Statements Tutorial to Prevent SQL Injection and The Best Way to Perform MYSQLI Prepared Statements in PHP.

1.2.1120.1. Suggestions

  • Use an ORM

  • Use an Active Record library

  • Change the query to hard code it and make it not injectable

1.2.1120.2. Specs

Short name

Security/ShouldUsePreparedStatement

Rulesets

All, Analyze, CE, CI-checks, Changed Behavior, Security

Exakat since

0.8.4

PHP Version

All

Severity

Major

Time To Fix

Slow (1 hour)

Precision

High

Examples

Dolibarr

Available in

Entreprise Edition, Community Edition, Exakat Cloud