5

Possible Duplicate:
Php PDO::bindParam data types.. how does it work?

Say for example, that I have the following prepared statement:

$sth = $dbh->prepare('SELECT `name` FROM `user` WHERE `user_id` = :user_id');

I could bind the user_id parameter like so:

$sth->bindValue(':user_id', $user_id_value);

And I'd still be safe from SQL injections.

However, bindValue() also an optional parameter called data_type, which allows you to set an explicit data type. Example:

$sth->bindValue(':user_id', $user_id_value, PDO::PARAM_INT);

That allows me to state that user_id will be an integer.

My question is: Why use the data_type parameter in bindValue if you're safe against SQL injections with or without it? Is it there to force data integrity? If you're validating your data beforehand, do you need to worry about using it? Are there any other benefits to using it that I haven't thought about?

Community
  • 1
  • 1
Wayne Whitty
  • 19,513
  • 7
  • 44
  • 66

1 Answers1

-1

Basically - yes. Enforcing data_types is a good thing.

Don't assume protection against injection - long time ago I saw a blog post detailing injection using utf8 code for back-ticks and quotes and what-not; which, while not escaped where evaluated as single characters and hence allowed injection.

That's not to say that this hasn't been addressed nor am I saying you are vulnerable - just saying assuming is sometimes not the best thing to do...

Ian Wood
  • 6,515
  • 5
  • 34
  • 73
  • 2
    What part of the question do you answer? I still don't see any argumentation apart from "it's a good thing", which isn't a technical explanation at all – zerkms Sep 07 '12 at 11:43
  • erm... you asked if its there to force data type integrity. if you don't want to use it don't. I use it because I like that extra layer of enforcement. - every little helps [as meth users would say] – Ian Wood Sep 07 '12 at 12:04
  • 1
    I'm not an OP. But still - "because I like that extra layer of enforcement" - is not a technical explanation. Can you give any example where that extra layer of enforcement can be really useful, and there is difference with and without explicit type specification? – zerkms Sep 07 '12 at 12:07