-1

I have been reading about using $_POST values being used directly in isert statements and understand that this is an invitation for trouble. What is not clear in any of the posts I read was - Say my form is sending 7 items to my mysqli insertion script and I use the posted values like this:

    $stmt = $mysqli->prepare("INSERT INTO `advertisements` (`from`, `r_u_res`, `email`, `blockname`, `floorno`, `doorno`, `content`) VALUES (?, ?, ?, ?, ?,?,?)");
    $stmt->bind_param('sssssss', $_POST['from'], $_POST['rures'], $_POST['email'], $_POST['blockname'], $_POST['floorno'], $_POST['doorno'], $_POST['content']);

    $stmt->execute(); 
    $stmt->close();

Would that be the correct way to do it? Or should I first store the posted values in a new variable and use that variable while binding? - like this :

    $postedfrom = $_POST['from'];
    $postedrures = $_POST['rures'];
    $postedemail = $_POST['email'];
    $postedblockname = $_POST['blockname'];
    $postedfloorno = $_POST['floorno'];
    $posteddoorno = $_POST['doorno'];
    $postedcontent = $_POST['content'];

    $stmt = $mysqli->prepare("INSERT INTO `advertisements` (`from`, `r_u_res`, `email`, `blockname`, `floorno`, `doorno`, `content`) VALUES (?, ?, ?, ?, ?,?,?)");
    $stmt->bind_param('sssssss', $postedfrom, $postedrures, $postedemail, $postedblockname, $postedfloorno, $posteddoorno, $postedcontent);

    $stmt->execute(); 
    $stmt->close();

I saw a post OO mysqli prepared statements help please where the answer does seem to be like the code above but I want to know whether doing it like the first code poses security issues...

Dharman
  • 30,962
  • 25
  • 85
  • 135
vinaya
  • 262
  • 2
  • 15
  • The first solution would be OK on a security point of view. now you may want to also do some data verification server-side, and then the second notation would be better as you can test and transform before assigning POST values to their respective variable – Laurent S. Jul 08 '13 at 12:59
  • Thank you @Bartdude - but OMG! I thought that was it! Test and Transform? Thanks anyway for point me towards the next step I need to take! – vinaya Jul 08 '13 at 13:13
  • You should always sanitize your input... you'd be amazed what users are able to do, and you don't want incorrect data to end up in your database. Transformation could be to turn every email in lowercase for example, or more advanced treatment you would want... – Laurent S. Jul 08 '13 at 13:16

1 Answers1

0

both forms are equivalent from a security perspective as php first resolves the values to be passed in the method call to $stmt->bind_param, thus that function sees the exact same values in both cases.

ps: both snippets look ok to me.

mnagel
  • 6,729
  • 4
  • 31
  • 66