Are PDO constants necessary for security?

Beginners - Learning PHP
#1

Hello,

I am using the following method to update my database. I was wondering if there are any security issues by not using constants such as PDO::PARAM_STR and PDO::PARAM_INT ?

[php]
$stmt = $database->prepare($sql);
$stmt->bindParam(":carbrand", $CarBrand, PDO::PARAM_STR);
$stmt->bindParam(":carname", $CarName, PDO::PARAM_STR);
$stmt->bindParam(":date", $date, PDO::PARAM_STR);
$stmt->bindValue(":viewed", “1”, PDO::PARAM_INT);
$stmt->bindParam(":ip", $ip, PDO::PARAM_STR);
[/php]

Thank you.

#2

No not really, as long as you make sure
[php] $db_options = array(
/* important! use actual prepared statements (default: emulate prepared statements) /
PDO::ATTR_EMULATE_PREPARES => false
/ throw exceptions on errors (default: stay silent) /
, PDO::ATTR_ERRMODE => PDO::ERRMODE_EXCEPTION
/ fetch associative arrays (default: mixed arrays) */
, PDO::ATTR_DEFAULT_FETCH_MODE => PDO::FETCH_ASSOC
);
$this->_connection = new PDO(‘mysql:host=’ . DATABASE_HOST . ‘;dbname=’ . DATABASE_NAME . ‘;charset=utf8’, DATABASE_USERNAME, DATABASE_PASSWORD, $db_options);[/php]

You don’t use emulated prepared statements, then you could simply do some like:
[php]$stmt->execute([ ‘:carbrand’ => $carbrand, ‘:carname’ => $carName, // etc… ]);[/php]

Sponsor our Newsletter | Privacy Policy | Terms of Service