re: Dynamic data and SQL statement VIEW POST


In PHP, using prepared statements DOES NOT prevent all possible and practical attacks.

First of all, great job trying to encourage security in PHP applications!

Second, the article you linked to doesn't explain it very well. They also link to the official documentation of PostgreSQL for prepared statements and then they just run performance benchmarks.

I highly recommend you and any other PHP developers check out ParagonIE and PHP Delusions.

And here is a blog post all about preventing SQL injections by ParagonIE.

Another great article about preventing SQL injection is here. Don't forget to check out their tutorial on PDO.

When you're configuring PDO connections, make sure to set PDO::ATTR_EMULATE_PREPARES to false, yes I said FALSE! Although warning, in some specific cases they may fall back to emulated prepared statements without any notice. More about PDO configuration variables here.

Use whitelists for table or column names! Do not "manually sanitize" these values!


  • Use PDO.
  • Set PDO::EMULATE_PREPARES to false.
  • For database connections, set the character encoding to utf8mb4.
  • Use prepared statements wherever you can.
  • Validate input. (helps prevent SQL injection)
  • Wherever you can't use prepare statements, WHITELIST!!!

FYI, for MySQL, utf8mb4 is UTF-8. Just make sure you use UTF-8 encoding.

PDO is well known, easier, and is used by more people today than mysql_* and mysqli.


Thanks, I'll take the time to update my article, although I'll need a little bit of time, and of sleep.

Edit 1. About the link for prepared statements (link), I made the rookie mistake to read the beginning and skip the end. I'll try to find an article to actually explain the real preparation mechanism.

Maybe you have one I could link?

Edit 2. Didn't change the article about prepared statements, but I'll use the Hitchiker's guide instead.

Edit 3. fixed.

code of conduct - report abuse