Password security: Should I use Mysqli - real_escape_string or bind_param?

3

Mysqli = > real_escape_string

I want the password storage to be as secure as possible, I am currently using only mysqli => real_escape_string :

$password = $_POST['password'];
$password_safe = $mysqli -> real_escape_string($password);

Is it better to use sttm::bindParam , prepare and execute ?

    
asked by anonymous 25.05.2014 / 17:55

1 answer

4

The results are equivalent both so:

$safeuser     = $mysqli -> real_escape_string($user    );
$safepassword = $mysqli -> real_escape_string($password);
$mysqli->query( "INSERT INTO usuarios ( nome, senha ) VALUES ( '$safeuser','$safepassword' )" );

... as well:

$stmt = $mysqli->prepare( 'INSERT INTO usuarios ( nome, senha ) VALUES ( ?, ? )' );
$stmt->bind_param("ss", $user, $password );
$stmt->execute();

However, prepared statements have some advantages:

  • The original query becomes much more readable (just like the rest of the code).
  • You do not need to deal with the quotation marks in your query, regardless of the parameter type.
  • You have no danger of forgetting to handle the variables.
  • You do not need to create intermediate variables or change the originals to insert into the database;
  • This is not your case, but in situations where the query is going to be executed multiple times just by changing values, the MySQL connector will only send the updated data, in query and redo planning (which is the great differential of doing native binding by the server).
27.05.2014 / 22:06