Should I use prepare in Procedures

Question

Should I use prepare in Procedures

Navigation

#1 by (1 votes)

1

Below I have a code snippet adapted to exemplify this question:

<?php

$params = [
    ':codUser'     => $_SESSION['data-user']['codigo'],
    ':codCarrinho' => $codCarrinho,
    ':codPremio'   => $codPremio,
    ':quantidade'  => $quantidade,
    ':subtotal'    => $subtotal
];

$query = 'Call addItemCarrinho(:codUser, :codCarrinho, :codPremio, :quantidade, :subtotal)';

$preparedQuery = self::getConn()->prepare($query);
foreach ($params as $key => $value) {
    $preparedQuery->bindValue($key, $value);
}

$preparedQuery->execute();
$result = $preparedQuery->fetchAll(PDO::FETCH_OBJ);

?>

This is the form I currently use. But I've been researching and reading some articles that say it's not necessary to use prepare in Procedures. But for fear I continue to use. My question is if it is possible to use SQL injection in precedures?

php mysql procedure

asked by anonymous 10.02.2017 / 18:27

1 answer

How to access a non-explicit function Delete record that is being duplicated in the query with the inner join

score 1 · Answer 1

Ideally, you should continue using prepare to mount your procedures .

Probably, when it was commented that procedures would not require the use of prepare, it is because they use the information passed as parameters internally and this would avoid SQL injection within their execution, of the same, when you are writing it in PHP, it might be that the person can use SQL injection in her call