1.2.1120. Should Use Prepared Statement¶
Modern databases provides support for prepared statement : it separates the query from the processed data and raise significantly the security.
Building queries with concatenations is not recommended, though not always avoidable. When possible, use prepared statements. Same code, without preparation :
<?php
/* Execute a prepared statement by passing an array of values */
$sql = 'SELECT name, colour, calories
FROM fruit
WHERE calories < :calories AND colour = :colour';
$sth = $conn->prepare($sql, array(PDO::ATTR_CURSOR => PDO::CURSOR_FWDONLY));
$sth->execute(array(':calories' => 150, ':colour' => 'red'));
$red = $sth->fetchAll();
?>
Name |
Default |
Type |
Description |
queryMethod |
query_methods.json |
data |
Methods that call a query. |
See also Prepared Statements, PHP MySQLi Prepared Statements Tutorial to Prevent SQL Injection and The Best Way to Perform MYSQLI Prepared Statements in PHP.
1.2.1120.1. Suggestions¶
Use an ORM
Use an Active Record library
Change the query to hard code it and make it not injectable
1.2.1120.2. Specs¶
Short name |
Security/ShouldUsePreparedStatement |
Rulesets |
|
Exakat since |
0.8.4 |
PHP Version |
All |
Severity |
Major |
Time To Fix |
Slow (1 hour) |
Precision |
High |
Examples |
|
Available in |