Can a pattern matching expression be a SQL injection?
preg_match('/^[az\d-]+$/', $var) SQL query:
"SELECT `id` FROM `table` WHERE `col` = '$var'" - 3Can not. But the inline parameters (bind_param) should be used not only to protect against injections but also to increase performance. Never Insert Parameters Into Request Text - Mike
- one@Mike it should have been the answer - Pavel Mayorov 3:54 pm
- @Mike But if the request is only one bind_param will not give an increase in speed? - user208916
- @Mike, prepared requests do not fall into the query cache, so whether there is an increase in speed or not, you need to understand each case. If the query cache is enabled and it is super efficient, you can lose in performance. - cheops
- If the request is completely one, the script will be executed once and in the next few hours such a script will not be executed - then of course you don't care But if other launches of this application are expected, that will help. MySQL will not need to rebuild the query execution plan, it can take from the cache - Mike
|
1 answer
Injections should not be, but it is better to use standard prepared expressions with placeholders. At least in order not to invent a new regular for the new incoming parameter.
Edited : With the performance of prepared expressions specifically in PHP, everything is difficult. Theoretically, they can give a win. It is necessary to take into account that usually the connection with the database is created anew with each http request and that by default pdo_mysql emulates the prepared statement on the client side.
If you know about it, then perhaps the speed will be an additional argument in favor of PS.
Community spirit ♦
one
artoodetoo artoodetoo
3.283 one 7 32
- I don’t understand this myth, if user input is inserted into a SQL query as a parameter (in quotes) and escaped by the mysqli_real_escape_string function, what SQL injections can we talk about? Using prepared queries to protect against SQL injections resembles nailing a microscope with nails, because this tool was created for other purposes - optimization of working with the database in case of a mass direction of the same type of queries. - user208916
- But it is convenient! In the end, it's just beautiful :) - artoodetoo
|